Expose more options for Cookie authentication

2025-08-15 03:04:27 +08:00 · 2020-01-11 10:55:02 +01:00
parent c537b58d52
commit dbbb9144b0
4 changed files with 77 additions and 21 deletions
--- a/fastapi_users/authentication/cookie.py
+++ b/fastapi_users/authentication/cookie.py
@ -17,22 +17,38 @@ class CookieAuthentication(JWTAuthentication):
    :param secret: Secret used to encode the cookie.
    :param lifetime_seconds: Lifetime duration of the cookie in seconds.
    :param cookie_name: Name of the cookie.
+    :param cookie_path: Cookie path.
+    :param cookie_domain: Cookie domain.
+    :param cookie_secure: Whether to only send the cookie to the server via SSL request.
+    :param cookie_httponly: Whether to prevent access to the cookie via JavaScript.
    :param name: Name of the backend. It will be used to name the login route.
    """

    lifetime_seconds: int
    cookie_name: str
+    cookie_path: str
+    cookie_domain: Optional[str]
+    cookie_secure: bool
+    cookie_httponly: bool

    def __init__(
        self,
        secret: str,
        lifetime_seconds: int,
        cookie_name: str = "fastapiusersauth",
+        cookie_path: str = "/",
+        cookie_domain: str = None,
+        cookie_secure: bool = True,
+        cookie_httponly: bool = True,
        name: str = "cookie",
    ):
        super().__init__(secret, lifetime_seconds, name=name)
        self.lifetime_seconds = lifetime_seconds
        self.cookie_name = cookie_name
+        self.cookie_path = cookie_path
+        self.cookie_domain = cookie_domain
+        self.cookie_secure = cookie_secure
+        self.cookie_httponly = cookie_httponly
        self.api_key_cookie = APIKeyCookie(name=self.cookie_name, auto_error=False)

    async def get_login_response(self, user: BaseUserDB, response: Response) -> Any:
@ -41,8 +57,10 @@ class CookieAuthentication(JWTAuthentication):
            self.cookie_name,
            token,
            max_age=self.lifetime_seconds,
-            secure=True,
-            httponly=True,
+            path=self.cookie_path,
+            domain=self.cookie_domain,
+            secure=self.cookie_secure,
+            httponly=self.cookie_httponly,
        )

        # We shouldn't return directly the response