Can't authenticate using httpx AsyncClient

[mixa2130]

Hello! I've read a lot of discussions in this repo, but no one worked for me. The problem is very similar to the discussion. Can't auth using htpps.AsyncClient:

@pytest.fixture(scope="session")
async def async_client() -> AsyncGenerator[httpx.AsyncClient, None]:
    async with httpx.AsyncClient(app=app, base_url="http://127.0.0.1:8000/api/v1", follow_redirects=True) as ac:
        yield ac

async def test_add_event(async_client: httpx.AsyncClient):
    auth_req = await async_client.post('auth/login',
                                       data={'username': "authed_user", 'password': "authed_user_password"})
    cookies = auth_req.headers['set-cookie']
    headers = {'Content-Type': 'application/json', 'Authorization': f'token {cookies}', 'cookie': cookies}
    response = await async_client.post('/events', json=test_event, headers=headers, cookies=auth_req.cookies)
    assert response.status_code == 201


@router.post(
    "/",
    response_model=schemas.CreatedEventResponseSchema,
    status_code=status.HTTP_201_CREATED,
    responses={
        status.HTTP_400_BAD_REQUEST: {
            "model": schemas.EventAlreadyExistsSchema,
            "description": "Event already exists"
        }
    })
async def add_event(event: schemas.NewEventSchema,
                    session: AsyncSession = Depends(APP_CTX.pg_controller.get_async_session),
                    user: User = Depends(current_user)):
    pass

I've tried already everything but all time getting 401 - unathorized. Cookie is coming in the correct format(checked it with swagger client authorize). What am I doing wrong?

At the same time requests.post('http://127.0.0.1:8000/api/v1/events/', headers={'cookie': auth_req.headers['set-cookie']}, json=data) works fine

[frankie567]

I'm not certain the value of set-cookie can be used as input for a cookie header.

An HTTPX Client instance is able to automatically maintain the cookie state across several requests. So if you just do:

auth_req = await async_client.post('auth/login', data={'username': "authed_user", 'password': "authed_user_password"})
response = await async_client.post('/events', json=test_event)
assert response.status_code == 201

It should work directly. Please note that the cookie_secure flag should be set to False in this context, since you are requesting on http://.

[mixa2130]

That's doesn't work(

auth_req status code is 204

[mixa2130]

@frankie567 why do you think that set-cookie value cant't be used to auth?

I'm using cookie transport with jwt strategy:

cookie_transport = CookieTransport(cookie_name="RGcookie", cookie_max_age=3600)


def get_jwt_strategy() -> JWTStrategy:
    return JWTStrategy(secret=APP_CTX.JWT_SECRET, lifetime_seconds=3600)


auth_backend = AuthenticationBackend(
    name="jwt",
    transport=cookie_transport,
    get_strategy=get_jwt_strategy,
)

I see same values in requests:

That's the full auth code: https://github.com/mixa2130/events_registration_api/tree/master/src/auth

[frankie567]

Are you sure you set the cookie secure flag to False, as I mentioned in my previous answer?

https://github.com/mixa2130/events_registration_api/blob/55d6e8dc9249c12269510510e7b28d7b7eccba42/src/auth/config.py#L12

The default is True. My recommendation is to have an environment variable for this so you can easily switch it to False in local and to True in production.

---

@frankie567 why do you think that set-cookie value cant't be used to auth?

The value of Set-Cookie contains not only the cookie name and its value, but also the flags like HttpOnly, Secure, etc.

The Cookie header only expects Name=Value pairs. So, I'm not sure the server is able to recognize them if they contain the flags. Maybe requests is smart enough to edit them before sending the request, but I'm pretty sure HTTPX won't do it.