Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
for more information, see https://pre-commit.ci
for more information, see https://pre-commit.ci
cdrini
approved these changes
Jan 21, 2026
Collaborator
cdrini
left a comment
cdrini
left a comment
There was a problem hiding this comment.
Lgtm! We tested all the helper endpoints and they did the correct thing (logout excepting). Will bring up with @mekarpeles to do a quick pass of the cookie handling stuff since he's more familiar with authentication.
|
|
||
|
|
||
| @router.post("/account/logout") | ||
| async def logout(request: Request) -> Response: |
Collaborator
There was a problem hiding this comment.
This endpoint wasn't working correctly ; we think it might be something related to webpy / fastapi storing the session cookie slightly differently?
Here's the set-cookie header from the two systems:
fastapi:
set-cookie
session=""; expires=Wed, 21 Jan 2026 18:38:46 GMT; Max-Age=0; Path=/; SameSite=lax
set-cookie
pd=""; expires=Wed, 21 Jan 2026 18:38:46 GMT; Max-Age=0; Path=/; SameSite=lax
set-cookie
sfw=""; expires=Wed, 21 Jan 2026 18:38:46 GMT; Max-Age=0; Path=/; SameSite=lax
webpy:
set-cookie
pd=; expires=Sun, 15 May 1994 16:50:45 GMT; Path=/
set-cookie
sfw=; expires=Sun, 15 May 1994 16:50:45 GMT; Path=/
set-cookie
session=; expires=Sun, 15 May 1994 16:50:45 GMT; Path=/
cdrini
requested changes
Jan 22, 2026
Collaborator
cdrini
left a comment
cdrini
left a comment
There was a problem hiding this comment.
@mekarpeles and I reviewed and this looks good! Marking as need changes to delete those files we talked about.
Collaborator
Author
|
@cdrini all changes are addressed |
lokesh
pushed a commit
to lokesh/openlibrary
that referenced
this pull request
Feb 4, 2026
* add auth verification to fastapi * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci * fix linter bugs * more specific errors handling * better naming for types * add auth endpoints * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci * remove extra secret key function def * remove extra comments * better name * add notes of things to delete * add notes of things to delete * cleaner generate_login_code * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci * add missing import * remove extra verify_hash def * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci * remove auth middleware that's not needed at this moment * better comments * delete ai generated docs * move auth tests to python * tests don't run in Ci now --------- Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request adds FastAPI-based authentication endpoints to Open Library, enabling login, logout, and authentication checks using the same session cookie format as the legacy system. It introduces new authentication dependencies, refactors cookie generation logic for reuse, and includes a test script for local validation. These changes lay the groundwork for a modern API-based authentication flow while maintaining compatibility with existing web.py logic.
FastAPI Authentication Endpoints:
openlibrary/fastapi/account.pywith endpoints for login, logout, and authentication status checks, reusing existing account auditing and session cookie logic for compatibility with the legacy system.openlibrary/asgi_app.py, making the endpoints available.Authentication Logic and Utilities:
openlibrary/fastapi/auth.py, providing dependencies for extracting and verifying authenticated users from session cookies, including models and helper functions for authentication in FastAPI routes.generate_login_code_for_userinopenlibrary/accounts/model.pyand updated theAccount.generate_login_codemethod to use it, ensuring consistent cookie format between legacy and new endpoints. [1] [2]Testing and Validation:
test_fastapi_auth.sh, a shell script for local testing of FastAPI authentication endpoints, covering login, logout, session cookie handling, and compatibility checks.Related to #11133