Skip to content

Replace plaintext auth tokens with HttpOnly cookies #1606

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 13 commits into from
Closed

Replace plaintext auth tokens with HttpOnly cookies #1606

wants to merge 13 commits into from

Conversation

@sinkozs
Copy link

@sinkozs sinkozs commented Apr 30, 2025

Overview

Currently authentication tokens are sent in plain text format. This can be a security vulnerability because attackers can run malicious JS scripts in the browser to access the user's token and perform session hijacking. A recommended solution for this vulnerability is to send auth tokens in a Cookie with the HttpOnly flag set. HttpOnly cookies’ content is not accessible from JavaScript, preventing XSS attacks from stealing these tokens.

Backend changes:

  • We use the original create_access_token function to generate the JWT token but instead of returning it directly in the /login endpoint, we return a JSONResponse with an http-only cookie, which contains the token.
  • In the updated get_current_user function, now there is an APIKeyCookie dependency, but the way we decode the JWT token didn't change.
  • I implemented the /logout endpoint which deletes the cookie.
  • The cookie has a predefined expiration – after it expires, the user gets logged out automatically when they try to navigate to another page (which sends an authenticated request to the backend).
  • Updated the backend tests accordingly

Frontend changes:

  • In the frontend API calls, we should set the withCredentials=true parameter to include the cookies in the requests
  • Instead of sending the token in the headers, we should use the cookies request parameter
  • Instead of storing the access_token in localStorage (the token is not accessible from JS anymore), now we store the is_authenticated boolean value and use it to check authentication and remove it during logout

Before:

image

After:

image

@sinkozs sinkozs force-pushed the use-http-only-cookie branch 3 times, most recently from b0cb31b to 71affa9 Compare May 2, 2025 09:00
@joshwisehub
Copy link

joshwisehub commented May 22, 2025

what happens to the swagger docs using this implementation. when we want authenticate it seems like pasting any text it authorizes automatically no request is sent to the server.

@joshwisehub
Copy link

joshwisehub commented May 28, 2025

After some reserach i found this https://swagger.io/docs/specification/v3_0/authentication/cookie-authentication/
image
is seems like the swagger docs does not support this.

@github-actions github-actions bot added the conflicts Automatically generated when a PR has a merge conflict label Sep 9, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Sep 9, 2025

This pull request has a merge conflict that needs to be resolved.

@tiangolo
Copy link
Member

tiangolo commented Sep 20, 2025

Thanks for the interest! I think it would be better to have this change in the specific project you're building and not here in the template. For now, I'll pass on this one. Thanks! ☕

@tiangolo tiangolo closed this Sep 20, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

conflicts Automatically generated when a PR has a merge conflict

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sinkozs @joshwisehub @tiangolo