issue with 11.0 and safari #1222
-
i changed your examples -> sqlalchemy to use cookie instead of jwt auth. users.py code likes following. two issues i found
import uuid from fastapi import Depends, Request from app.db import User, get_user_db SECRET = "SECRET" class UserManager(UUIDIDMixin, BaseUserManager[User, uuid.UUID]):
async def get_user_manager(user_db: SQLAlchemyUserDatabase = Depends(get_user_db)): cookie_transport = CookieTransport(cookie_httponly=True, cookie_secure= True) bearer_transport = BearerTransport(tokenUrl="auth/jwt/login")def get_jwt_strategy() -> JWTStrategy: auth_backend = AuthenticationBackend( fastapi_users = FastAPIUsers[User, uuid.UUID](get_user_manager, [auth_backend]) current_active_user = fastapi_users.current_user(active=True) |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
The problem comes from the This flag means the browser should forward the cookie to the server only if we're on an HTTPS connection, which is usually not the case when developing on However, Chrome and Firefox are a bit nicer with this rule: when the server is served on My advice is to set |
Beta Was this translation helpful? Give feedback.
The problem comes from the
cookie_secure=True
flag.This flag means the browser should forward the cookie to the server only if we're on an HTTPS connection, which is usually not the case when developing on
localhost
.However, Chrome and Firefox are a bit nicer with this rule: when the server is served on
localhost
, they will ignore the cookieSecure
flag, for developers convenience. Safari is very strict and won't do this, that's why it doesn't work with this browser.My advice is to set
cookie_secure
through an environment variable, so you can easily switch it toFalse
in development and toTrue
in production (which is crucial in terms of security).