add config cookie jwt

Author: IndominusByte

fastapi_jwt_auth/auth_config.py

@@ -59,6 +59,7 @@ def load_config(cls, settings: Callable[...,List[tuple]]) -> "AuthConfig":
         try:
             config = LoadConfig(**{key.lower():value for key,value in settings()})
 
+            cls._token_location = config.authjwt_token_location
             cls._secret_key = config.authjwt_secret_key
             cls._public_key = config.authjwt_public_key
             cls._private_key = config.authjwt_private_key
@@ -74,6 +75,24 @@ def load_config(cls, settings: Callable[...,List[tuple]]) -> "AuthConfig":
             cls._header_type = config.authjwt_header_type
             cls._access_token_expires = config.authjwt_access_token_expires
             cls._refresh_token_expires = config.authjwt_refresh_token_expires
+            # option for create cookies
+            cls._access_cookie_key = config.authjwt_access_cookie_key
+            cls._refresh_cookie_key = config.authjwt_refresh_cookie_key
+            cls._access_cookie_path = config.authjwt_access_cookie_path
+            cls._refresh_cookie_path = config.authjwt_refresh_cookie_path
+            cls._cookie_max_age = config.authjwt_cookie_max_age
+            cls._cookie_domain = config.authjwt_cookie_domain
+            cls._cookie_secure = config.authjwt_cookie_secure
+            cls._cookie_samesite = config.authjwt_cookie_samesite
+            # option for double submit csrf protection
+            cls._cookie_csrf_protect = config.authjwt_cookie_csrf_protect
+            cls._access_csrf_cookie_key = config.authjwt_access_csrf_cookie_key
+            cls._refresh_csrf_cookie_key = config.authjwt_refresh_csrf_cookie_key
+            cls._access_csrf_cookie_path = config.authjwt_access_csrf_cookie_path
+            cls._refresh_csrf_cookie_path = config.authjwt_refresh_csrf_cookie_path
+            cls._access_csrf_header_name = config.authjwt_access_csrf_header_name
+            cls._refresh_csrf_header_name = config.authjwt_refresh_csrf_header_name
+            cls._csrf_methods = config.authjwt_csrf_methods
         except ValidationError:
             raise
         except Exception:

fastapi_jwt_auth/config.py

@@ -1,16 +1,15 @@
 from datetime import timedelta
 from typing import Optional, Union, Sequence, List
-from types import GeneratorType
 from pydantic import (
     BaseModel,
-    root_validator,
     validator,
     StrictBool,
     StrictInt,
     StrictStr
 )
 
 class LoadConfig(BaseModel):
+    authjwt_token_location: Optional[Sequence[StrictStr]] = {'headers'}
     authjwt_secret_key: Optional[StrictStr] = None
     authjwt_public_key: Optional[StrictStr] = None
     authjwt_private_key: Optional[StrictStr] = None
@@ -26,91 +25,59 @@ class LoadConfig(BaseModel):
     authjwt_header_type: Optional[StrictStr] = "Bearer"
     authjwt_access_token_expires: Optional[Union[StrictBool,StrictInt,timedelta]] = timedelta(minutes=15)
     authjwt_refresh_token_expires: Optional[Union[StrictBool,StrictInt,timedelta]] = timedelta(days=30)
+    # option for create cookies
+    authjwt_access_cookie_key: Optional[StrictStr] = "access_token_cookie"
+    authjwt_refresh_cookie_key: Optional[StrictStr] = "refresh_token_cookie"
+    authjwt_access_cookie_path: Optional[StrictStr] = "/"
+    authjwt_refresh_cookie_path: Optional[StrictStr] = "/"
+    authjwt_cookie_max_age: Optional[StrictInt] = None
+    authjwt_cookie_domain: Optional[StrictStr] = None
+    authjwt_cookie_secure: Optional[StrictBool] = False
+    authjwt_cookie_samesite: Optional[StrictStr] = "lax"
+    # option for double submit csrf protection
+    authjwt_cookie_csrf_protect: Optional[StrictBool] = True
+    authjwt_access_csrf_cookie_key: Optional[StrictStr] = "csrf_access_token"
+    authjwt_refresh_csrf_cookie_key: Optional[StrictStr] = "csrf_refresh_token"
+    authjwt_access_csrf_cookie_path: Optional[StrictStr] = "/"
+    authjwt_refresh_csrf_cookie_path: Optional[StrictStr] = "/"
+    authjwt_access_csrf_header_name: Optional[StrictStr] = "X-CSRF-Token"
+    authjwt_refresh_csrf_header_name: Optional[StrictStr] = "X-CSRF-Token"
+    authjwt_csrf_methods: Optional[Sequence[StrictStr]] = {'POST','PUT','PATCH','DELETE'}
+
+    @validator('authjwt_access_token_expires')
+    def validate_access_token_expires(cls, v):
+        if v is True:
+            raise ValueError("The 'authjwt_access_token_expires' only accept value False (bool)")
+        return v
 
-    @root_validator(pre=True)
-    def validate_all_config(cls, values):
-        _secret_key = values.get("authjwt_secret_key")
-        _public_key = values.get("authjwt_public_key")
-        _private_key = values.get("authjwt_private_key")
-        _algorithm = values.get("authjwt_algorithm")
-        _decode_algorithms = values.get("authjwt_decode_algorithms")
-        _decode_leeway = values.get("authjwt_decode_leeway")
-        _encode_issuer = values.get("authjwt_encode_issuer")
-        _decode_issuer = values.get("authjwt_decode_issuer")
-        _decode_audience = values.get("authjwt_decode_audience")
-        _denylist_enabled = values.get("authjwt_denylist_enabled")
-        _denylist_token_checks = values.get("authjwt_denylist_token_checks")
-        _header_name = values.get("authjwt_header_name")
-        _header_type = values.get("authjwt_header_type")
-        _access_token_expires = values.get("authjwt_access_token_expires")
-        _refresh_token_expires = values.get("authjwt_refresh_token_expires")
-
-        if _secret_key and not isinstance(_secret_key, str):
-            raise TypeError("The 'AUTHJWT_SECRET_KEY' must be a string")
-
-        if _public_key and not isinstance(_public_key, str):
-            raise TypeError("The 'AUTHJWT_PUBLIC_KEY' must be a string")
-
-        if _private_key and not isinstance(_private_key, str):
-            raise TypeError("The 'AUTHJWT_PRIVATE_KEY' must be a string")
-
-        if _algorithm and not isinstance(_algorithm, str):
-            raise TypeError("The 'AUTHJWT_ALGORITHM' must be a string")
-
-        if _decode_algorithms and not isinstance(_decode_algorithms, list):
-            raise TypeError("The 'AUTHJWT_DECODE_ALGORITHMS' must be a list")
-
-        if _decode_leeway and not isinstance(_decode_leeway, (timedelta, int)):
-            raise TypeError("The 'AUTHJWT_DECODE_LEEWAY' must be a timedelta or integer")
-
-        if _encode_issuer and not isinstance(_encode_issuer, str):
-            raise TypeError("The 'AUTHJWT_ENCODE_ISSUER' must be a string")
-
-        if _decode_issuer and not isinstance(_decode_issuer, str):
-            raise TypeError("The 'AUTHJWT_DECODE_ISSUER' must be a string")
-
-        if (
-            _decode_audience and
-            not isinstance(_decode_audience, (str, list, tuple, set, frozenset, GeneratorType))
-        ):
-            raise TypeError("The 'AUTHJWT_DECODE_AUDIENCE' must be a string or sequence")
-
-        if _denylist_enabled and not isinstance(_denylist_enabled, bool):
-            raise TypeError("The 'AUTHJWT_DENYLIST_ENABLED' must be a boolean")
-
-        if (
-            _denylist_token_checks and
-            not isinstance(_denylist_token_checks, (list, tuple, set, frozenset, GeneratorType))
-        ):
-            raise TypeError("The 'AUTHJWT_DENYLIST_TOKEN_CHECKS' must be a sequence")
-
-        if _header_name and not isinstance(_header_name, str):
-            raise TypeError("The 'AUTHJWT_HEADER_NAME' must be a string")
-
-        if _header_type and not isinstance(_header_type, str):
-            raise TypeError("The 'AUTHJWT_HEADER_TYPE' must be a string")
-
-        if _access_token_expires and not isinstance(_access_token_expires, (timedelta,int,bool)):
-            raise TypeError("The 'AUTHJWT_ACCESS_TOKEN_EXPIRES' must be between timedelta, int, bool")
-
-        if _access_token_expires and _access_token_expires is True:
-            raise TypeError("The 'AUTHJWT_ACCESS_TOKEN_EXPIRES' only accept value False")
-
-        if _refresh_token_expires and not isinstance(_refresh_token_expires, (timedelta,int,bool)):
-            raise TypeError("The 'AUTHJWT_REFRESH_TOKEN_EXPIRES' must be between timedelta, int, bool")
-
-        if _refresh_token_expires and _refresh_token_expires is True:
-            raise TypeError("The 'AUTHJWT_REFRESH_TOKEN_EXPIRES' only accept value False")
-
-        return values
+    @validator('authjwt_refresh_token_expires')
+    def validate_refresh_token_expires(cls, v):
+        if v is True:
+            raise ValueError("The 'authjwt_refresh_token_expires' only accept value False (bool)")
+        return v
 
     @validator('authjwt_denylist_token_checks', each_item=True)
     def validate_denylist_token_checks(cls, v):
         if v not in ['access','refresh']:
-            raise ValueError("The 'AUTHJWT_DENYLIST_TOKEN_CHECKS' must be between 'access' or 'refresh'")
+            raise ValueError("The 'authjwt_denylist_token_checks' must be between 'access' or 'refresh'")
+        return v
 
+    @validator('authjwt_token_location', each_item=True)
+    def validate_token_location(cls, v):
+        if v not in ['headers','cookies']:
+            raise ValueError("The 'authjwt_token_location' must be between 'headers' or 'cookies'")
         return v
 
+    @validator('authjwt_cookie_samesite')
+    def validate_cookie_samesite(cls, v):
+        if v not in ['strict','lax','none']:
+            raise ValueError("The 'authjwt_cookie_samesite' must be between 'strict', 'lax', 'none'")
+        return v
+
+    @validator('authjwt_csrf_methods', each_item=True)
+    def validate_csrf_methods(cls, v):
+        return v.upper()
+
     class Config:
         min_anystr_length = 1
         anystr_strip_whitespace = True