"Remember me" param for login route #1507

bkis · 2025-04-24T06:35:12Z

bkis
Apr 24, 2025

This is only relevant for a cookie transport. It would be nice to be able to set a boolean param like rememberMe (or persistent or whatever) when logging in, so in case it's false the returned Set-Cookie header always creates a session cookie but if it's true it creates a persistent cookie with the configured cookie_max_age.

Of course this would require a way to keep the current behavior of CookieTransport, so adding an init argment like session_cookies_by_default: bool = False that'd have to be set to True to trigger the feature would make this a non-breaking change.

hgalytoby · 2025-04-24T08:15:13Z

hgalytoby
Apr 24, 2025

This seems to meet your requirements?

You can implement the logic in get_enabled_backends and dynamically instantiate CookieTransport with the cookie_max_age.

https://fastapi-users.github.io/fastapi-users/latest/usage/current-user/#dynamically-enable-authentication-backends

5 replies

bkis Apr 24, 2025
Author

I see... or I might have two different (prepared) cookie backends – one that uses the configured cookie_max_age (used when rememberMe is true) and one that has cookie_max_age hard-coded to None (used when rememberMe is false, thus only creating session cookies).

I will try that! Thank you!

bkis Apr 24, 2025
Author

Well, unfortunately I don't think this works. get_enabled_backends is only called in access auth dependencies, so the logic I put there has nothing to do with how the login auth router behaves. And when registering the auth router...

app.include_router(
    _fastapi_users.get_auth_router(_auth_backend_cookie),
    prefix="/auth/cookie",
)

...I can only pass one backend (_auth_backend_cookie in the example above), so I cannot influence the backend this router is using based on the request to /auth/cookie.

What I want is for the router that handles /auth/cookie to set the Set-Cookie response header with a Max-Age of cookie_max_age only if the request contains something like rememberMe (a form data field set to "true" or something), but respond with a Set-Cooki 8000 e header without a set Max-Age (or Expires) in any other case (thus creating a session cookie).

Actually for this I don't need any logic in get_enabled_backends at all, because this has to happen when requesting the login endpoint – which does not have any user dependencies.

hgalytoby Apr 24, 2025

Sorry, I didn't fully understand your requirement at first.

So is your requirement only for the routes inside get_auth_router, or does it apply to other routes as well?

And you want to dynamically decide whether to set a session cookie based on a specific parameter in the request?

bkis Apr 24, 2025
Author

So is your requirement only for the routes inside get_auth_router, or does it apply to other routes as well?

Yes, it's only for the routes coming from get_auth_router – and specifically only for auth routers using a backend with a cookie transport and only for the login route (as that's the one sending the Set-Cookie header).

And you want to dynamically decide whether to set a session cookie based on a specific parameter in the request?

That's all I want. Let me give you an example:

Case 1:

user logs in by sending username=foo, password=bar and persistent=false to /auth/cookie (a route backed by an auth backend with a cookie transport!)
the response contains a Set-Cookie header with no Max-Age or Expires fields set (so a session cookie!)

Case 2:

user logs in by sending username=foo, password=bar and persistent=true to /auth/cookie (same route as in case 1!)
the response contains a Set-Cookie header with Max-Age set to whatever cookie_max_age is set to in the API (so a persistent cookie!)

Thanks for helping!

hgalytoby Apr 24, 2025

Since only the login route has this requirement, if it were me, I would rewrite the auth router. However, since the auth router can't be extended through inheritance, the only option is to copy and paste the code and modify it.

By passing the request to backend.login and subclassing AuthenticationBackend, you can achieve the desired behavior. But considering that, your idea of adding a parameter to CookieTransport might actually be the simpler approach.

bkis · 2025-04-25T07:11:02Z

bkis
Apr 25, 2025
Author

However, since the auth router can't be extended through inheritance, the only option is to copy and paste the code and modify it.

Yeah I'd like to avoid that, obviously :)

But considering that, your idea of adding a parameter to CookieTransport might actually be the simpler approach.

I think so, too. Extending CookieTransport sounds like the cleaner approach. But looking at the code I think this is still too invasive for a simple little monkey patching, IMHO. It could be a built-in feature, but it'd have to be thought through carefully.

Again, thank you for your thoughts!

0 replies

bkis · 2025-05-06T08:40:27Z

bkis
May 6, 2025
Author

In case anyone is looking for a solution to get a "remember me"/"keep me signed in" flag for a cookie-based login endpoint: I tried hacking this into the existing logic of FastAPI-Users without completely re-implementing any major parts of the library, but there's just no clean enough way to do it IMHO. So I went the "naive" but maintainable way and just wrote a middleware that intercepts requests to the cookie-based login endpoint and modifies the set-cookie header of the response if the request did not carry a truthy value for persistent (or whatever you want to call the form field):

import re

from starlette.middleware.base import BaseHTTPMiddleware
from starlette.requests import Request


class CookieTypeChoiceMiddleware(BaseHTTPMiddleware):
    _TRUTHY_VALS = ("true", "on", "1", "yes")

    def __init__(
        self,
        app,
        *,
        login_path_suffix="/auth/cookie/login",
        form_field_name="persistent",
    ):
        super().__init__(app)
        self.login_path_suffix = login_path_suffix
        self.form_field_name = form_field_name

    async def dispatch(self, request: Request, call_next):
        await request.body()  # make starlette cache the request body
        response = await call_next(request)  # pass on the request

        if request.url.path.endswith(self.login_path_suffix):
            # request was to ...<login_path_suffix>
            form_data = await request.form()
            if form_data.get(self.form_field_name, "").lower() not in self._TRUTHY_VALS:
                # the request is missing `form_field_name` or the value is falsy,
                # so we have to force any "set-cookie" headers of the response to
                # trigger the creation of session cookies instead of persistent cookies
                for k, v in response.headers.items():
                    if k.lower() == "set-cookie":
                        response.headers[k] = re.sub(
                            r"Max-Age=\d+ *;* *",
                            "",
                            response.headers[k],
                            flags=re.IGNORECASE,
                        )

        return response

This seems to work just fine.

EDIT: Of course the downside of this is that this additional parameter will not automatically be reflected in the API schema!

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

"Remember me" param for login route #1507

{{title}}

Replies: 3 comments 5 replies

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Select a reply

"Remember me" param for login route #1507

bkis Apr 24, 2025

Replies: 3 comments · 5 replies

hgalytoby Apr 24, 2025

bkis Apr 24, 2025 Author

bkis Apr 24, 2025 Author

hgalytoby Apr 24, 2025

bkis Apr 24, 2025 Author

hgalytoby Apr 24, 2025

bkis Apr 25, 2025 Author

bkis May 6, 2025 Author

bkis
Apr 24, 2025

Replies: 3 comments 5 replies

hgalytoby
Apr 24, 2025

bkis Apr 24, 2025
Author

bkis Apr 24, 2025
Author

bkis Apr 24, 2025
Author

bkis
Apr 25, 2025
Author

bkis
May 6, 2025
Author