Add optional SameSite property for session cookie (GH-50)

Co-authored-by: Jung Hun-soo <[email protected]>

Author: ArtyomVancyan

docs/integration/configuration.md

@@ -10,6 +10,9 @@ The `OAuth2Config` class is used to define the middleware configuration, and it
 
 - `enable_ssr` - Whether enable server-side rendering or not. Defaults to `True`.
 - `allow_http` - Whether allow HTTP requests or not. Defaults to `False`.
+- `same_site` -
+  The [SameSite](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#samesitesamesite-value) attribute
+  of the session cookie. Defaults to `lax`.
 - `jwt_secret` - Secret used to sign the JWT tokens. Defaults to an empty string.
 - `jwt_expires` - JWT lifetime in seconds. Defaults to 900 (15 minutes).
 - `jwt_algorithm` - The algorithm used to sign the JWT tokens. Defaults to `HS256`.

examples/demonstration/router_api.py

@@ -28,5 +28,6 @@ def sim_auth(request: Request):
         max_age=request.auth.expires,
         expires=request.auth.expires,
         httponly=request.auth.http,
+        samesite=request.auth.same_site,
     )
     return response

src/fastapi_oauth2/__init__.py

@@ -1 +1 @@
-__version__ = "1.2.0"
+__version__ = "1.3.0"

src/fastapi_oauth2/config.py

@@ -10,6 +10,7 @@ class OAuth2Config:
 
     enable_ssr: bool
     allow_http: bool
+    same_site: str
     jwt_secret: str
     jwt_expires: int
     jwt_algorithm: str
@@ -20,6 +21,7 @@ def __init__(
             *,
             enable_ssr: bool = True,
             allow_http: bool = False,
+            same_site: str = "lax",
             jwt_secret: str = "",
             jwt_expires: Union[int, str] = 900,
             jwt_algorithm: str = "HS256",
@@ -29,6 +31,7 @@ def __init__(
             os.environ["OAUTHLIB_INSECURE_TRANSPORT"] = "1"
         self.enable_ssr = enable_ssr
         self.allow_http = allow_http
+        self.same_site = same_site
         self.jwt_secret = jwt_secret
         self.jwt_expires = int(jwt_expires)
         self.jwt_algorithm = jwt_algorithm

src/fastapi_oauth2/core.py

@@ -145,6 +145,7 @@ async def token_redirect(self, request: Request, **kwargs) -> RedirectResponse:
             expires=request.auth.expires,
             secure=not request.auth.http,
             httponly=True,
+            samesite=request.auth.same_site,
         )
         return response
 

src/fastapi_oauth2/middleware.py

@@ -39,6 +39,7 @@ class Auth(AuthCredentials):
     http: bool
     secret: str
     expires: int
+    same_site: str
     algorithm: str
     scopes: List[str]
     provider: OAuth2Core
@@ -92,6 +93,7 @@ def __init__(
         Auth.http = config.allow_http
         Auth.secret = config.jwt_secret
         Auth.expires = config.jwt_expires
+        Auth.same_site = config.same_site
         Auth.algorithm = config.jwt_algorithm
         Auth.clients = {
             client.backend.name: OAuth2Core(client)

tests/conftest.py

@@ -75,6 +75,7 @@ def auth(request: Request):
                 max_age=request.auth.expires,
                 expires=request.auth.expires,
                 httponly=request.auth.http,
+                samesite=request.auth.same_site,
             )
             return response