Using a Cookie (with HTTPOnly flag) for authentication instead of plain Tokens

[sinkozs]

First Check

• I added a very descriptive title here.
• I used the GitHub search to find a similar question and didn't find it.
• I searched in the documentation/README.
• I already searched in Google "How to do X" and didn't find any information.
• I already read and followed all the tutorial in the docs/README and didn't find an answer.

Commit to Help

• I commit to help with one of those options 👆

Example Code

def set_auth_cookie(subject: str | Any, expires_delta: timedelta) -> Response:
    access_token = create_access_token(subject, expires_delta)
    response = JSONResponse(content={"message": "Login successful"})
    # Note: The secure flag on cookies ensures they're only sent over encrypted HTTPS connections. For local development (HTTP) set it to False
    response.set_cookie(
        key="http_only_auth_cookie",
        value=access_token,
        httponly=True,
        max_age=3600,
        expires=3600,
        samesite="lax",
        secure=True,
        domain=None,
    )
    return response

@router.post("/login/access-token")
def login_access_token(
    session: SessionDep, form_data: Annotated[OAuth2PasswordRequestForm, Depends()]
) -> JSONResponse:
    """
    OAuth2-compatible token login: get an access token for future requests (sent in an HTTP-only cookie)
    """
    user = crud.authenticate(
        session=session, email=form_data.username, password=form_data.password
    )
    if not user:
        raise HTTPException(status_code=400, detail="Incorrect email or password")
    elif not user.is_active:
        raise HTTPException(status_code=400, detail="Inactive user")
    access_token_expires = timedelta(minutes=settings.ACCESS_TOKEN_EXPIRE_MINUTES)
    return security.set_auth_cookie(user.id, access_token_expires)

Description

I'm thinking about changing the authentication flow: use a cookie (with the httponly=True option) for authentication instead of sending the token in plain text. HTTP-only cookies can't be accessed by JavaScript, making them resistant to cross-site scripting (XSS) attacks. I believe this is a more secure approach, and I'm happy to implement the change, but since it would require modifying multiple files I wanted to discuss it first. I already have a POC version running locally. I copied the main backend code changes above.

Operating System

Linux

Operating System Details

Ubuntu

Python Version

Python 3.10.12

Additional Context

No response

[YuriiMotov]

There is already an issue: #189

And, in the comments to your PR it's discussed that this approach will not work in Swagger UI..