enh: cookie auth

2025-06-26 18:26:48 +00:00 · 2024-06-19 14:38:09 -07:00
parent 1b100660af
commit b36c525ebc
5 changed files with 42 additions and 12 deletions
--- a/backend/apps/webui/routers/auths.py
+++ b/backend/apps/webui/routers/auths.py
@@ -2,6 +2,7 @@ import logging

 from fastapi import Request, UploadFile, File
 from fastapi import Depends, HTTPException, status
+from fastapi.responses import Response

 from fastapi import APIRouter
 from pydantic import BaseModel
@@ -47,7 +48,23 @@ router = APIRouter()


@router.get("/", response_model=UserResponse)
-async def get_session_user(user=Depends(get_current_user)):
+async def get_session_user(
+    request: Request, response: Response, user=Depends(get_current_user)
+):
+    token = create_token(
+        data={"id": user.id},
+        expires_delta=parse_duration(request.app.state.config.JWT_EXPIRES_IN),
+    )
+
+    # Set the cookie token
+    response.set_cookie(
+        key="token",
+        value=token,
+        httponly=True,  # Ensures the cookie is not accessible via JavaScript
+        secure=True,  # Ensures the cookie is sent over https
+        samesite="lax",
+    )
+
    return {
        "id": user.id,
        "email": user.email,
--- a/backend/utils/utils.py
+++ b/backend/utils/utils.py
@@ -1,5 +1,5 @@
 from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
-from fastapi import HTTPException, status, Depends
+from fastapi import HTTPException, status, Depends, Request

 from apps.webui.models.users import Users

@@ -24,7 +24,8 @@ ALGORITHM = "HS256"
 # Auth Utils
 ##############

-bearer_security = HTTPBearer()
+bearer_security = HTTPBearer(auto_error=False)
+
 pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")


@@ -75,13 +76,24 @@ def get_http_authorization_cred(auth_header: str):


 def get_current_user(
+    request: Request,
    auth_token: HTTPAuthorizationCredentials = Depends(bearer_security),
 ):
+    # get token from cookie
+    token = request.cookies.get("token")
+
+    if auth_token is None and token is None:
+        raise HTTPException(status_code=403, detail="Not authenticated")
+
+    if auth_token is not None:
+        token = auth_token.credentials
+
    # auth by api key
-    if auth_token.credentials.startswith("sk-"):
-        return get_current_user_by_api_key(auth_token.credentials)
+    if token.startswith("sk-"):
+        return get_current_user_by_api_key(token)
+
    # auth by jwt token
-    data = decode_token(auth_token.credentials)
+    data = decode_token(token)
    if data != None and "id" in data:
        user = Users.get_user_by_id(data["id"])
        if user is None: