2

I am looking to integrate Cookie based authentication in my FastAPI App. I want the same to work seamlessly with swagger as well.

I want to have a route (eg: /login) which sets my browser cookies. All other protected route uses Depends in the decorator to verify the key present in cookie. How do I get this to work with OpenAPI authorize button?

Important factor here is integration with Swagger/OpenAPI docs auto generated by FastAPI.

Irfanuddin
  • 2,295
  • 1
  • 15
  • 29

1 Answers1

1

You can have a look at the fastapi-users module that implements a cookie-based authentication (it implements other user-management-related stuff as well, so it is worth a look anyway!).

According to the coookie docs:

Configuration

from fastapi_users.authentication import CookieAuthentication

SECRET = "SECRET"

auth_backends = []

cookie_authentication = CookieAuthentication(secret=SECRET, lifetime_seconds=3600)

auth_backends.append(cookie_authentication)

As you can see, instantiation is quite simple. You just have to define a constant SECRET which is used to encode the token and the lifetime of the cookie (in seconds).

You can also define the parameters for the generated cookie:

  • cookie_name (fastapiusersauth): Name of the cookie.
  • cookie_path (/): Cookie path.
  • cookie_domain (None): Cookie domain.
  • cookie_secure (True): Whether to only send the cookie to the server via SSL request.
  • cookie_httponly (True): Whether to prevent access to the cookie via JavaScript.
  • cookie_samesite (lax): A string that specifies the same site strategy for the cookie. Valid values are 'lax', 'strict' and 'none'. Defaults to 'lax'.

Then you can login with a POST request on the /login endpoint and set the cookie on the browser.

I found no info on the auto-OpenAPI integration, but since login is setting the cookie on the browser, you can log in once and then use the API.

John Moutafis
  • 22,254
  • 11
  • 68
  • 112
  • 1
    Thanks for this. I went through the project, great work. But, integration with OpenAPI Spec is something critical for me. – Irfanuddin Mar 31 '21 at 15:58
  • 1
    @iudeen I have not tried that, but tiangolo writes here: https://github.com/tiangolo/fastapi/issues/880#issuecomment-610515859 that if an endpoint sets the cookie to the browser, then the swagger interaction is considered authenticated. So use the `/login` first and then try the other routes? – John Moutafis Mar 31 '21 at 16:19
  • 2
    Looks like it. Shame we can't properly document this in OpenAPI Spec. It would look really great if we can show that lock symbol OpenAPI gives on protected routes. – Irfanuddin Mar 31 '21 at 20:54
  • 3
    Hello, fastapi-users maintainer here Indeed, OpenAPI isn't able to handle cookie authentication in the UI; however, as Tiangolo says, you can call the auth endpoint that will set the cookie and then call the protected routes without any issue. Anyway, you'll do have the lock on protected routes. - Demo: https://fastapi-users-example-cookie.frankie567.repl.co/docs - Source: https://replit.com/@frankie567/fastapi-users-example-cookie – frankie567 Apr 03 '21 at 07:34
  • all the link was down, was it depriated or outdated? – Man Man Yu Sep 02 '22 at 09:39
  • @ManManYu seems like in the latest version of FastAPI Users they changed the method: https://fastapi-users.github.io/fastapi-users/10.1/migration/8x_to_9x/?h=cookieauthen#i-used-cookieauthentication I will follow up with an update to the response. – John Moutafis Sep 05 '22 at 07:07