Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Using a Cookie (with HTTPOnly flag) for authentication instead of plain Tokens#1564

AnsweredbyYuriiMotov
sinkozs asked this question inQuestions
Discussion options

First Check

  • I added a very descriptive title here.
  • I used the GitHub search to find a similar question and didn't find it.
  • I searched in the documentation/README.
  • I already searched in Google "How to do X" and didn't find any information.
  • I already read and followed all the tutorial in the docs/README and didn't find an answer.

Commit to Help

  • I commit to help with one of those options 👆

Example Code

def set_auth_cookie(subject: str | Any, expires_delta: timedelta) -> Response:    access_token = create_access_token(subject, expires_delta)    response = JSONResponse(content={"message": "Login successful"})    # Note: The secure flag on cookies ensures they're only sent over encrypted HTTPS connections. For local development (HTTP) set it to False    response.set_cookie(        key="http_only_auth_cookie",        value=access_token,        httponly=True,        max_age=3600,        expires=3600,        samesite="lax",        secure=True,        domain=None,    )    return response@router.post("/login/access-token")def login_access_token(    session: SessionDep, form_data: Annotated[OAuth2PasswordRequestForm, Depends()]) -> JSONResponse:    """    OAuth2-compatible token login: get an access token for future requests (sent in an HTTP-only cookie)    """    user = crud.authenticate(        session=session, email=form_data.username, password=form_data.password    )    if not user:        raise HTTPException(status_code=400, detail="Incorrect email or password")    elif not user.is_active:        raise HTTPException(status_code=400, detail="Inactive user")    access_token_expires = timedelta(minutes=settings.ACCESS_TOKEN_EXPIRE_MINUTES)    return security.set_auth_cookie(user.id, access_token_expires)

Description

I'm thinking about changing the authentication flow: use a cookie (with the httponly=True option) for authentication instead of sending the token in plain text.HTTP-only cookiescan't be accessed by JavaScript, making them resistant to cross-site scripting (XSS) attacks. I believe this is a more secure approach, and I'm happy to implement the change, but since it would require modifying multiple files I wanted to discuss it first. I already have a POC version running locally. I copied the main backend code changes above.

Operating System

Linux

Operating System Details

Ubuntu

Python Version

Python 3.10.12

Additional Context

No response

You must be logged in to vote

There is already an issue:#189

And, in the comments to your PR it's discussed thatthis approach will not work in Swagger UI..

Replies: 2 comments

Comment options

There is already an issue:#189

And, in the comments to your PR it's discussed thatthis approach will not work in Swagger UI..

You must be logged in to vote
0 replies
Answer selected byYuriiMotov
Comment options

Storingaccess_token in localStorage makes server side rendering in private pages impossible.

You must be logged in to vote
0 replies
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Labels
questionFurther information is requested
3 participants
@sinkozs@nemanjam@YuriiMotov
[8]ページ先頭
©2009-2025 Movatter.jp