issue with 11.0 and safari

[wesleysanjose]

i changed your examples -> sqlalchemy to use cookie instead of jwt auth. users.py code likes following. two issues i found

1. i installed 11.0 using pip, the login always failed with 204. after i roll back to 10.4.2 the login works.
2. when i use safari Version 16.3 (18614.4.6.1.6) on mac ventura 13.2.1, after login is successful. i tried /users/me, it always returns 401 unauthorized. but when i use my chrome browser 113.0.5672.126, the /users/me can return the user info.

import uuid
from typing import Optional

from fastapi import Depends, Request
from fastapi_users import BaseUserManager, FastAPIUsers, UUIDIDMixin
from fastapi_users.authentication import (
AuthenticationBackend,
CookieTransport,
BearerTransport,
JWTStrategy,
)
from fastapi_users.db import SQLAlchemyUserDatabase

from app.db import User, get_user_db

SECRET = "SECRET"

class UserManager(UUIDIDMixin, BaseUserManager[User, uuid.UUID]):
reset_password_token_secret = SECRET
verification_token_secret = SECRET

async def on_after_register(self, user: User, request: Optional[Request] = None):
    print(f"User {user.id} has registered.")

async def on_after_forgot_password(
    self, user: User, token: str, request: Optional[Request] = None
):
    print(f"User {user.id} has forgot their password. Reset token: {token}")

async def on_after_request_verify(
    self, user: User, token: str, request: Optional[Request] = None
):
    print(f"Verification requested for user {user.id}. Verification token: {token}")

async def get_user_manager(user_db: SQLAlchemyUserDatabase = Depends(get_user_db)):
yield UserManager(user_db)

cookie_transport = CookieTransport(cookie_httponly=True, cookie_secure= True)

bearer_transport = BearerTransport(tokenUrl="auth/jwt/login")

def get_jwt_strategy() -> JWTStrategy:
return JWTStrategy(secret=SECRET, lifetime_seconds=3600)

auth_backend = AuthenticationBackend(
name="jwt",
# transport=bearer_transport,
transport=cookie_transport,
get_strategy=get_jwt_strategy,
)

fastapi_users = FastAPIUsers[User, uuid.UUID](get_user_manager, [auth_backend])

current_active_user = fastapi_users.current_user(active=True)

[frankie567]

The problem comes from the cookie_secure=True flag.

This flag means the browser should forward the cookie to the server only if we're on an HTTPS connection, which is usually not the case when developing on localhost.

However, Chrome and Firefox are a bit nicer with this rule: when the server is served on localhost, they will ignore the cookie Secure flag, for developers convenience. Safari is very strict and won't do this, that's why it doesn't work with this browser.

My advice is to set cookie_secure through an environment variable, so you can easily switch it to False in development and to True in production (which is crucial in terms of security).