Skip to content

Replace plaintext auth tokens with HttpOnly cookies #1606

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 13 commits into
base: master
Choose a base branch
from
Open

Replace plaintext auth tokens with HttpOnly cookies #1606

wants to merge 13 commits into from
+324 −140

Conversation

sinkozs
Copy link

@sinkozs sinkozs commented Apr 30, 2025

Overview

Currently authentication tokens are sent in plain text format. This can be a security vulnerability because attackers can run malicious JS scripts in the browser to access the user's token and perform session hijacking. A recommended solution for this vulnerability is to send auth tokens in a Cookie with the HttpOnly flag set. HttpOnly cookies’ content is not accessible from JavaScript, preventing XSS attacks from stealing these tokens.

Backend changes:

  • We use the original create_access_token function to generate the JWT token but instead of returning it directly in the /login endpoint, we return a JSONResponse with an http-only cookie, which contains the token.
  • In the updated get_current_user function, now there is an APIKeyCookie dependency, but the way we decode the JWT token didn't change.
  • I implemented the /logout endpoint which deletes the cookie.
  • The cookie has a predefined expiration – after it expires, the user gets logged out automatically when they try to navigate to another page (which sends an authenticated request to the backend).
  • Updated the backend tests accordingly

Frontend changes:

  • In the frontend API calls, we should set the withCredentials=true parameter to include the cookies in the requests
  • Instead of sending the token in the headers, we should use the cookies request parameter
  • Instead of storing the access_token in localStorage (the token is not accessible from JS anymore), now we store the is_authenticated boolean value and use it to check authentication and remove it during logout

Before:

image

After:

image

@sinkozs sinkozs force-pushed the use-http-only-cookie branch 3 times, most recently from b0cb31b to 71affa9 Compare May 2, 2025 09:00
@joshwisehub
Copy link

what happens to the swagger docs using this implementation. when we want authenticate it seems like pasting any text it authorizes automatically no request is sent to the server.

@joshwisehub
Copy link

After some reserach i found this https://swagger.io/docs/specification/v3_0/authentication/cookie-authentication/
image
is seems like the swagger docs does not support this.

@github-actions github-actions bot added the conflicts Automatically generated when a PR has a merge conflict label Sep 9, 2025
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Sep 9, 2025

This pull request has a merge conflict that needs to be resolved.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
conflicts Automatically generated when a PR has a merge conflict
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sinkozs @joshwisehub