Skip to content

add auth verification to fastapi #11704

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
RayBB wants to merge 22 commits into
base: master
Choose a base branch
from
Open

add auth verification to fastapi #11704

RayBB wants to merge 22 commits into from
+530 −4

Conversation

@RayBB
Copy link
Collaborator

@RayBB RayBB commented Jan 18, 2026
edited by mekarpeles
Loading

This pull request adds FastAPI-based authentication endpoints to Open Library, enabling login, logout, and authentication checks using the same session cookie format as the legacy system. It introduces new authentication dependencies, refactors cookie generation logic for reuse, and includes a test script for local validation. These changes lay the groundwork for a modern API-based authentication flow while maintaining compatibility with existing web.py logic.

FastAPI Authentication Endpoints:

  • Added openlibrary/fastapi/account.py with endpoints for login, logout, and authentication status checks, reusing existing account auditing and session cookie logic for compatibility with the legacy system.
  • Integrated the new account router into the FastAPI application in openlibrary/asgi_app.py, making the endpoints available.

Authentication Logic and Utilities:

  • Introduced openlibrary/fastapi/auth.py, providing dependencies for extracting and verifying authenticated users from session cookies, including models and helper functions for authentication in FastAPI routes.
  • Refactored session cookie generation logic into a reusable function generate_login_code_for_user in openlibrary/accounts/model.py and updated the Account.generate_login_code method to use it, ensuring consistent cookie format between legacy and new endpoints. [1] [2]

Testing and Validation:

  • Added test_fastapi_auth.sh, a shell script for local testing of FastAPI authentication endpoints, covering login, logout, session cookie handling, and compatibility checks.

Related to #11133

github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 20, 2026
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 20, 2026
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 20, 2026
View reviewed changes
@RayBB RayBB marked this pull request as ready for review January 20, 2026 18:41
cdrini
cdrini approved these changes Jan 21, 2026
View reviewed changes
Copy link
Collaborator

@cdrini cdrini left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lgtm! We tested all the helper endpoints and they did the correct thing (logout excepting). Will bring up with @mekarpeles to do a quick pass of the cookie handling stuff since he's more familiar with authentication.

openlibrary/fastapi/account.py


@router.post("/account/logout")
async def logout(request: Request) -> Response:
Copy link
Collaborator

@cdrini cdrini Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This endpoint wasn't working correctly ; we think it might be something related to webpy / fastapi storing the session cookie slightly differently?

Here's the set-cookie header from the two systems:

fastapi:
set-cookie
	session=""; expires=Wed, 21 Jan 2026 18:38:46 GMT; Max-Age=0; Path=/; SameSite=lax
set-cookie
	pd=""; expires=Wed, 21 Jan 2026 18:38:46 GMT; Max-Age=0; Path=/; SameSite=lax
set-cookie
	sfw=""; expires=Wed, 21 Jan 2026 18:38:46 GMT; Max-Age=0; Path=/; SameSite=lax


webpy:
set-cookie
	pd=; expires=Sun, 15 May 1994 16:50:45 GMT; Path=/
set-cookie
	sfw=; expires=Sun, 15 May 1994 16:50:45 GMT; Path=/
set-cookie
	session=; expires=Sun, 15 May 1994 16:50:45 GMT; Path=/

cdrini
cdrini requested changes Jan 22, 2026
View reviewed changes
Copy link
Collaborator

@cdrini cdrini left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mekarpeles and I reviewed and this looks good! Marking as need changes to delete those files we talked about.

@RayBB RayBB requested a review from cdrini January 22, 2026 20:53
@RayBB
Copy link
Collaborator Author

RayBB commented Jan 22, 2026

@cdrini all changes are addressed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cdrini cdrini Awaiting requested review from cdrini

Requested changes must be addressed to merge this pull request.

Assignees

@mekarpeles mekarpeles

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@RayBB @cdrini @mekarpeles