馃挱 First-class session support in FastAPI 路 Issue #754 路 tiangolo... =================================================================== !https://github.com/tiangolo/fastapi/issues/754 Date: July 28, 2023 First-class session support in FastAPI 路 Issue #754 路 fastapi/fastapi Is your feature request related to a problem All of the security schemas currently supported by FastAPI rely on some sort of "client-server synergy" , where, for instance, the client is expected to... GitHub 路 github.com [1] Here is a snippet provided by @tiangolo to store the users jwt inside of a session cookie in fatapi. This was written in feb 12, 2020 and admits that this is not a well documented part of fastapi. > It's already in place. More or less like the rest of the security tools. And it's compatible with the rest of the parts, integrated with OpenAPI (as possible), but probably most importantly, with dependencies. > It's just not properly documented yet. 馃槥 > But still, it works 馃殌 e.g. ``` python from fastapi import FastAPI, Form, HTTPException, Depends from fastapi.security import APIKeyCookie from starlette.responses import Response, HTMLResponse from starlette import status from jose import jwt app = FastAPI() cookie_sec = APIKeyCookie(name="session") secret_key = "someactualsecret" users = {"dmontagu": {"password": "secret1"}, "tiangolo": {"password": "secret2"}} def get_current_user(session: str = Depends(cookie_sec)): try: payload = jwt.decode(session, secret_key) user = users[payload["sub"]] return user except Exception: raise HTTPException( status_code=status.HTTP_403_FORBIDDEN, detail="Invalid authentication" ) @app.get("/login") def login_page(): return HTMLResponse( """ Username: Password: """ ) @app.post("/login") def login(response: Response, username: str = Form(...), password: str = Form(...)): if username not in users: raise HTTPException( status_code=status.HTTP_403_FORBIDDEN, detail="Invalid user or password" ) db_password = users[username]["password"] if not password == db_password: raise HTTPException( status_code=status.HTTP_403_FORBIDDEN, detail="Invalid user or password" ) token = jwt.encode({"sub": username}, secret_key) response.set_cookie("session", token) return {"ok": True} @app.get("/private") def read_private(username: str = Depends(get_current_user)): return {"username": username, "private": "get some private data"} ``` !!! note This post is a thought [2]. It's a short note that I make about someone else's content online #thoughts [3] References: [1]: https://github.com/tiangolo/fastapi/issues/754 [2]: /thoughts/ [3]: /tags/thoughts/