Spaces:

moazx
/

Lung-Cancer-AI-Advisor

Running

App Files Files Community

moazx commited on Oct 22

Commit

ef242c8

verified ·

1 Parent(s): 0f62f58

Update api/routers/auth.py

Browse files

Files changed (1) hide show

api/routers/auth.py +17 -4

api/routers/auth.py CHANGED Viewed

@@ -5,11 +5,12 @@ import os
 import secrets
 from datetime import datetime, timedelta
 from typing import Dict, Optional
-from fastapi import APIRouter, HTTPException, Response, Cookie, Form
 from fastapi.responses import JSONResponse
 from pydantic import BaseModel
 from itsdangerous import URLSafeTimedSerializer, BadSignature, SignatureExpired
 import logging
 logger = logging.getLogger(__name__)
@@ -92,6 +93,7 @@ def verify_credentials(username: str, password: str) -> bool:
 @router.post("/login", response_model=LoginResponse)
 async def login(
     response: Response,
     username: str = Form(...),
     password: str = Form(...)
 ):
@@ -107,13 +109,24 @@ async def login(
     token = create_session(username)
     # Set secure cookie
     response.set_cookie(
         key="session_token",
         value=token,
         httponly=True,
         max_age=SESSION_MAX_AGE,
-        samesite="none",
-        secure=True  # Required for SameSite=None
     )
     logger.info(f"Successful login for user: {username}")
@@ -171,4 +184,4 @@ async def status(session_token: Optional[str] = Cookie(None)):
     return {
         "authenticated": session_data is not None,
         "username": session_data.get("username") if session_data else None
-    }

 import secrets
 from datetime import datetime, timedelta
 from typing import Dict, Optional
+from fastapi import APIRouter, HTTPException, Response, Cookie, Form, Request
 from fastapi.responses import JSONResponse
 from pydantic import BaseModel
 from itsdangerous import URLSafeTimedSerializer, BadSignature, SignatureExpired
 import logging
+from urllib.parse import urlparse
 logger = logging.getLogger(__name__)
 @router.post("/login", response_model=LoginResponse)
 async def login(
     response: Response,
+    request: Request,
     username: str = Form(...),
     password: str = Form(...)
 ):
     token = create_session(username)
     # Set secure cookie
+    # In development (HTTP), use lax samesite and secure=False
+    # In production (HTTPS), use none samesite and secure=True
+    is_production = os.getenv("ENVIRONMENT", "development") == "production"
+    origin = request.headers.get("origin")
+    parsed_origin = urlparse(origin) if origin else None
+    is_cross_site = bool(parsed_origin and parsed_origin.hostname and parsed_origin.hostname != request.url.hostname)
+    is_https = request.url.scheme == "https"
+    samesite = "none" if (is_https and (is_production or is_cross_site)) else "lax"
+    secure = True if samesite == "none" else is_production
     response.set_cookie(
         key="session_token",
         value=token,
         httponly=True,
         max_age=SESSION_MAX_AGE,
+        samesite=samesite,
+        secure=secure
     )
     logger.info(f"Successful login for user: {username}")
     return {
         "authenticated": session_data is not None,
         "username": session_data.get("username") if session_data else None
+    }