How to create a remember me function for JWTAuth?

[JoseMoreville]

Hello, first of all thanks for maintaining fastapi-users

Now, my problem is that i made a login with the remember me button and in case it is checked on a fastapi route it sets a variable with 1209600 that are going to be the lifetime_seconds of JWT and sets a cookie and then returns the value I know this could be redundant but i've tried all those ways even using globals but that leads to some weird bugs.

I'll paste what i have right now

life_seconds = 86400

@app.post("/login/remember")
async def client_remember(status: rememberUser, response: Response):
    global life_seconds
    if status.remember is True:
        response.set_cookie(key="sessionTimeToLive", value="1209600")
        life_seconds = 1209600
        #print("life_seconds True", life_seconds)
        return 1209600
    else:
        life_seconds = 86400
        response.set_cookie(key="sessionTimeToLive", value="86400")
        return 86400


def getSessionTimeToLive():
    TTL = client_remember
    return TTL

jwt_authentication = JWTAuthentication(
    secret=SECRET, lifetime_seconds=getSessionTimeToLive(), tokenUrl="/auth/jwt/login"
)

on lifetime_seconds i had lifetime_seconds=life_seconds but that's buggy

[frankie567]

Hi there!

Background

First of all, rather than a JWT authentication, I think you need a Cookie authentication. It'll be way easier to manage its lifetime then.

Now if you look at how to configure this authentication backend:

cookie_authentication = CookieAuthentication(secret=SECRET, lifetime_seconds=3600)

The property lifetime_seconds is here to specify how long this cookie will be stored in the browser. If you set this value to None*, it'll mean it's a session cookie (https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#define_the_lifetime_of_a_cookie) that will be deleted when the user closes its browser. If you set a value, like 86400, the browser will remember it for 86400 seconds.

*If you use static-type checking with mypy, it'll complain but I'll fix that.

Proposal

Now, I understand that you want either a session cookie or a permanent cookie depending on if the user has checked the Remember me checkbox. This is not something that you could do out-of-the-box right now. However, here is a workaround you could try.

You can have two authentication backends, one configured with session cookie and one configured with permanent cookie:

session_authentication = CookieAuthentication(name="session", secret=SECRET, lifetime_seconds=None)
cookie_authentication = CookieAuthentication(secret=SECRET, lifetime_seconds=86400)

Then, you wire two login routers for both of them:

app.include_router(
    fastapi_users.get_auth_router(session_authentication), prefix="/auth/session", tags=["auth"]
)
app.include_router(
    fastapi_users.get_auth_router(cookie_authentication), prefix="/auth/cookie", tags=["auth"]
)

In your webpage, you then just have to call /auth/session if Remember me is not checked or /auth/cookie otherwise.

[JoseMoreville]

It worked! Thank you very much for the help!

Just one quick check.
I can't set lifetime as None since it'll prompt an error when computing the expire value.

I'm going to leave the error message:

File "C:\Users\hp\anaconda3\envs\LEMAenv\lib\site-packages\fastapi_users\authentication\cookie.py", line 92, in get_login_response
token = await self._generate_token(user)
File "C:\Users\hp\anaconda3\envs\LEMAenv\lib\site-packages\fastapi_users\authentication\cookie.py", line 115, in _generate_token
return generate_jwt(data, self.lifetime_seconds, self.secret, JWT_ALGORITHM)
File "C:\Users\hp\anaconda3\envs\LEMAenv\lib\site-packages\fastapi_users\utils.py", line 12, in generate_jwt
expire = datetime.utcnow() + timedelta(seconds=lifetime_seconds)
TypeError: unsupported type for timedelta seconds component: NoneType

But i guess using 0 would give the expected result.

[frankie567]

This should be fixed in v5.1.3 😉

[ziruzavar]

Hello, I stumbled across this problem yesterday. I was trying to implement a "remember me" functionality in our web app, but I couldn't find this discussion back then, because of that I decided to modify the get_auth_router to include a "remember me" parameter:

@router.post(
        "/login",
        name=f"auth:{backend.name}.login",
        responses=login_responses,
    )
    async def login(
        response: Response,
        remember_me: bool = Body(...),
        credentials: OAuth2PasswordRequestForm = Depends(),
        user_manager: BaseUserManager[models.UP, models.ID] = Depends(
            get_user_manager
        ),
        strategy: Strategy[models.UP, models.ID] = Depends(
            backend.get_strategy
        ),
    ):
        user = await user_manager.authenticate(credentials)
        if user is None or not user.is_active:
            raise HTTPException(
                status_code=status.HTTP_400_BAD_REQUEST,
                detail=ErrorCode.LOGIN_BAD_CREDENTIALS,
            )
        if requires_verification and not user.is_verified:
            raise HTTPException(
                status_code=status.HTTP_400_BAD_REQUEST,
                detail=ErrorCode.LOGIN_USER_NOT_VERIFIED,
            )
        return await backend.login(strategy, user, remember_me, response)

    logout_responses: OpenAPIResponseType = {
        **{
            status.HTTP_401_UNAUTHORIZED: {
                "description": "Missing token or inactive user."
            }
        },
        **backend.transport.get_openapi_logout_responses_success(),
    }

Is this way of doing it a good pracite? I think there should be a default parameter that accepts a "remember me" argument and forwards it to the jwt strategy.

[frankie567]

As I explain in my initial response, "remember me" only makes sense if we talk about browsers and cookies.

If your remember_me flag just determines the lifetime of the cookie (session vs X days), then yes, that looks okay.