Cookie request to users/me/ failing #1255

rbracco · 2023-07-19T14:35:54Z

rbracco
Jul 19, 2023

Hey! I'm trying to add an auth router that uses cookie based transport. I was able to setup the new auth backend, and when I login it returns a null 200 response that contains a set-cookie header, but then when I make a fetch request to /users/me I get a 401 unauthorized and I can't see the cookie being sent in the network request. Here's exactly what I'm doing, please let me know if there's any more info I can provide.

Fastapi-users version 9.3

FastAPI Side

# users.py
# explicit cookie_secure only for testing, I'll replace w an ENV variable when deployed
cookie_transport = CookieTransport(cookie_max_age=3600, cookie_name="token", cookie_secure=False)

auth_backend_cookie = AuthenticationBackend(
    name="cookie",
    transport=cookie_transport,
    get_strategy=get_jwt_strategy,
)

fastapi_users = FastAPIUsers(
    get_user_manager,
    [auth_backend_cookie],
    User,
    UserCreate,
    UserUpdate,
    UserDB,
)

#app.py
app.add_middleware(
    CORSMiddleware,
    allow_origins=["http://localhost:3000"],
    allow_credentials=True,
    allow_methods=["*"],
    allow_headers=["*"],
    expose_headers=["Content-Type", "Cookie", "Set-Cookie"],
)

app.include_router(fastapi_users.get_auth_router(auth_backend_cookie), prefix="/auth/cookie", tags=["auth"])
app.include_router(
    fastapi_users.get_register_router(),
    prefix="/auth",
    tags=["auth"],
    dependencies=[Depends(validate_invite)],
)

Frontend

const resp = await fetch(`${api.host}/users/me`, {
                    credentials: 'include',
                })
                console.log('UsersMe resp', resp)
                const data = await resp.json()
                console.log('Data', data)

Response

{headers: Headers {}
ok: false
redirected: false
status: 401
statusText: "Unauthorized"
type: "cors"
url: "http://127.0.0.1:8000/users/me"
}

frankie567 · 2023-07-19T15:19:53Z

frankie567
Jul 19, 2023
Maintainer

Hi @rbracco 👋

It looks like a CORS issue. Allow Origins are very picky, so http://localhost:3000 is not the same as http://127.0.0.1:3000. Make sure that the host from which you call your frontend is exactly the same as the one specified in allow_origins.

0 replies

rbracco · 2023-07-19T16:09:46Z

rbracco
Jul 19, 2023
Author

Hey, sorry I should have sent the request headers in my initial post (now included below). I am operating from http://localhost:3000 and that is appearing as the Origin in the request header. I added http://127.0.0.1:3000 to my allow_origins just to be safe but I still receive the same 401 cors response. Any ideas of what I could be doing wrong? Also no worries if this is outside the scope of fastapi_users discussions, just let me know and I will try to debug elsewhere. Thank you!

GET /users/me HTTP/1.1
Accept: /
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,es-MX;q=0.8,es;q=0.7,pt-BR;q=0.6,pt;q=0.5,ru;q=0.4
Cache-Control: no-cache
Connection: keep-alive
Host: 127.0.0.1:8000
Origin: http://localhost:3000
Pragma: no-cache
Referer: http://localhost:3000/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
sec-ch-ua: "Not.A/Brand";v="8", "Chromium";v="114", "Google Chrome";v="114"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"

2 replies

frankie567 Aug 8, 2023
Maintainer

I don't see the Cookie header in the request. Are you sure it's correctly set in the browser with the right domain?

rbracco Oct 14, 2023
Author

Hey sorry, I finally got around to handling this. The issue was related to a combination of Samesite and secure policy for the cookie. I was using secure and lax in dev and that just doesn't work, only secure and none does. I eventually got it working using Secure/None in dev and Secure/Lax+CSRF in prod. Thank you!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Cookie request to users/me/ failing #1255

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments 2 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Uh oh!

Cookie request to users/me/ failing #1255

Uh oh!

rbracco Jul 19, 2023

FastAPI Side

Frontend

Response

Replies: 2 comments · 2 replies

Uh oh!

frankie567 Jul 19, 2023 Maintainer

Uh oh!

rbracco Jul 19, 2023 Author

Uh oh!

frankie567 Aug 8, 2023 Maintainer

Uh oh!

rbracco Oct 14, 2023 Author

rbracco
Jul 19, 2023

Replies: 2 comments 2 replies

frankie567
Jul 19, 2023
Maintainer

rbracco
Jul 19, 2023
Author

frankie567 Aug 8, 2023
Maintainer

rbracco Oct 14, 2023
Author