add csrf token config parameters to main oauth router getter function

2026-03-13 07:49:55 +08:00 · 2025-12-19 09:47:31 +01:00
parent 1df7c1038d
commit ba507a78b4
1 changed files with 27 additions and 2 deletions
--- a/fastapi_users/fastapi_users.py
+++ b/fastapi_users/fastapi_users.py
@@ -1,5 +1,5 @@
 from collections.abc import Sequence
-from typing import Generic
+from typing import Generic, Literal

 from fastapi import APIRouter

@@ -19,7 +19,10 @@ try:
    from httpx_oauth.oauth2 import BaseOAuth2

    from fastapi_users.router import get_oauth_router
-    from fastapi_users.router.oauth import get_oauth_associate_router
+    from fastapi_users.router.oauth import (
+        CSRF_TOKEN_COOKIE_NAME,
+        get_oauth_associate_router,
+    )
 except ModuleNotFoundError:  # pragma: no cover
    BaseOAuth2 = type  # type: ignore

@@ -99,6 +102,13 @@ class FastAPIUsers(Generic[models.UP, models.ID]):
        redirect_url: str | None = None,
        associate_by_email: bool = False,
        is_verified_by_default: bool = False,
+        *,
+        csrf_token_cookie_name: str = CSRF_TOKEN_COOKIE_NAME,
+        csrf_token_cookie_path: str = "/",
+        csrf_token_cookie_domain: str | None = None,
+        csrf_token_cookie_secure: bool = True,
+        csrf_token_cookie_httponly: bool = True,
+        csrf_token_cookie_samesite: Literal["lax", "strict", "none"] = "lax",
    ) -> APIRouter:
        """
        Return an OAuth router for a given OAuth client and authentication backend.
@@ -113,6 +123,15 @@ class FastAPIUsers(Generic[models.UP, models.ID]):
        :param is_verified_by_default: If True, the `is_verified` flag will be
        set to `True` on newly created user. Make sure the OAuth Provider you're
        using does verify the email address before enabling this flag.
+        :param csrf_token_cookie_name: Name of the cookie.
+        :param csrf_token_cookie_path:  Cookie path.
+        :param csrf_token_cookie_domain: Cookie domain.
+        :param csrf_token_cookie_secure: Whether to only send the cookie to the
+        server via SSL request.
+        :param csrf_token_cookie_httponly: Whether to prevent access to the cookie
+        via JavaScript.
+        :param csrf_token_cookie_samesite: A string that specifies the samesite
+        strategy for the cookie. Valid values are lax, strict and none. Defaults to lax.
        """
        return get_oauth_router(
            oauth_client,
@@ -122,6 +141,12 @@ class FastAPIUsers(Generic[models.UP, models.ID]):
            redirect_url,
            associate_by_email,
            is_verified_by_default,
+            csrf_token_cookie_name=csrf_token_cookie_name,
+            csrf_token_cookie_path=csrf_token_cookie_path,
+            csrf_token_cookie_domain=csrf_token_cookie_domain,
+            csrf_token_cookie_secure=csrf_token_cookie_secure,
+            csrf_token_cookie_httponly=csrf_token_cookie_httponly,
+            csrf_token_cookie_samesite=csrf_token_cookie_samesite,
        )

    def get_oauth_associate_router(