Add optional SameSite property for session cookie (GH-50)

Co-authored-by: Jung Hun-soo <[email protected]>
pysnippet · Sep 30, 2024 · 33b42dc · 33b42dc
2 parents cbdf342 + d076d9e
commit 33b42dc
Show file tree

Hide file tree

Showing 7 changed files with 12 additions and 1 deletion.
diff --git a/docs/integration/configuration.md b/docs/integration/configuration.md
@@ -10,6 +10,9 @@ The `OAuth2Config` class is used to define the middleware configuration, and it
 
 - `enable_ssr` - Whether enable server-side rendering or not. Defaults to `True`.
 - `allow_http` - Whether allow HTTP requests or not. Defaults to `False`.
+- `same_site` -
+  The [SameSite](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#samesitesamesite-value) attribute
+  of the session cookie. Defaults to `lax`.
 - `jwt_secret` - Secret used to sign the JWT tokens. Defaults to an empty string.
 - `jwt_expires` - JWT lifetime in seconds. Defaults to 900 (15 minutes).
 - `jwt_algorithm` - The algorithm used to sign the JWT tokens. Defaults to `HS256`.

diff --git a/examples/demonstration/router_api.py b/examples/demonstration/router_api.py
@@ -28,5 +28,6 @@ def sim_auth(request: Request):
         max_age=request.auth.expires,
         expires=request.auth.expires,
         httponly=request.auth.http,
+        samesite=request.auth.same_site,
     )
     return response
diff --git a/src/fastapi_oauth2/__init__.py b/src/fastapi_oauth2/__init__.py
@@ -1 +1 @@
-__version__ = "1.2.0"
+__version__ = "1.3.0"
diff --git a/src/fastapi_oauth2/config.py b/src/fastapi_oauth2/config.py
@@ -10,6 +10,7 @@ class OAuth2Config:
 
     enable_ssr: bool
     allow_http: bool
+    same_site: str
     jwt_secret: str
     jwt_expires: int
     jwt_algorithm: str
@@ -20,6 +21,7 @@ def __init__(
             *,
             enable_ssr: bool = True,
             allow_http: bool = False,
+            same_site: str = "lax",
             jwt_secret: str = "",
             jwt_expires: Union[int, str] = 900,
             jwt_algorithm: str = "HS256",
@@ -29,6 +31,7 @@ def __init__(
             os.environ["OAUTHLIB_INSECURE_TRANSPORT"] = "1"
         self.enable_ssr = enable_ssr
         self.allow_http = allow_http
+        self.same_site = same_site
         self.jwt_secret = jwt_secret
         self.jwt_expires = int(jwt_expires)
         self.jwt_algorithm = jwt_algorithm

diff --git a/src/fastapi_oauth2/core.py b/src/fastapi_oauth2/core.py
@@ -145,6 +145,7 @@ async def token_redirect(self, request: Request, **kwargs) -> RedirectResponse:
             expires=request.auth.expires,
             secure=not request.auth.http,
             httponly=True,
+            samesite=request.auth.same_site,
         )
         return response
 

diff --git a/src/fastapi_oauth2/middleware.py b/src/fastapi_oauth2/middleware.py
@@ -39,6 +39,7 @@ class Auth(AuthCredentials):
     http: bool
     secret: str
     expires: int
+    same_site: str
     algorithm: str
     scopes: List[str]
     provider: OAuth2Core
@@ -92,6 +93,7 @@ def __init__(
         Auth.http = config.allow_http
         Auth.secret = config.jwt_secret
         Auth.expires = config.jwt_expires
+        Auth.same_site = config.same_site
         Auth.algorithm = config.jwt_algorithm
         Auth.clients = {
             client.backend.name: OAuth2Core(client)

diff --git a/tests/conftest.py b/tests/conftest.py
@@ -75,6 +75,7 @@ def auth(request: Request):
                 max_age=request.auth.expires,
                 expires=request.auth.expires,
                 httponly=request.auth.http,
+                samesite=request.auth.same_site,
             )
             return response