JWT in httponly cookie instead of HTTP header #1520
Labels
architecture
Overall project architecture.
auth
Pertaining to authentication.
backend
Pertains to the Python backend.
frontend
Pertains to the frontend.
security
This is an initial research ticket to pave the way towards improving the way we do authentication within chainlit (so between frontend and backend, not between backend and 3rd parties).
Steps
Current approach
We're keeping the JWT in localStorage, sending it along for every API request which requires authentication.
This approach is used for all clients (frontend, copilot and the React client library).
Limits to current approach
XSS vulnerabilities
We have been made aware that the combination of having the token in
localStorage
, where JS can access it and being able to upload files to the same domain allows crafting of link able to steal user's authentication token and thus session and history.This is in part caused by #1101.
Authentication for
get_file()
We're adding links to files on the server. To authenticate requests for these files, whilst still allowing normal HTML tags (e.g.
<img src="<url>"
oversrc=URL.createObjectURL(blob)
andfetch()
), sending auth data in a httponly cookie will do the trick.Issues
Caveats
Copilot auth works differently
Ref: https://docs.chainlit.io/deploy/copilot#authentication
Issues
Cookie-based auth requires CSRF protection
Discussion
Alternative: streaming file download, setting
src
to blobThis approach seems more tricky -- but it's less 'stateful' and we don't need to change as much, server side.
Might be a lot of edge cases for all the different Elements we use though.
https://developer.mozilla.org/en-US/docs/Web/API/Streams_API/Using_readable_streams
HTTP only cookies
Possibly relevant issues
Code
Client
Log-in callback
Handled client side, once user's login is validated server-side (see server code below), here:
chainlit/frontend/src/router.tsx
Line 34 in 45866b2
chainlit/frontend/src/pages/AuthCallback.tsx
Line 8 in 45866b2
React client useAuth()
chainlit/libs/react-client/src/api/hooks/auth.ts
Line 16 in 45866b2
Server
httponly cookie should be set here:
chainlit/backend/chainlit/server.py
Line 365 in 45866b2
chainlit/backend/chainlit/server.py
Line 405 in 45866b2
And/or possibly here:
chainlit/backend/chainlit/server.py
Line 477 in 45866b2
chainlit/backend/chainlit/server.py
Line 567 in 45866b2
And should be read here:
https://github.com/Chainlit/chainlit/blob/main/backend/chainlit/auth.py
Where the JWT is created/validated here:
chainlit/backend/chainlit/auth.py
Line 51 in 45866b2
It should be removed here:
chainlit/backend/chainlit/server.py
Line 397 in 45866b2
Documentation
Current situation
Future situation
Prior efforts
FastAPI/cookie based JWT
External libraries
Instead of 'rolling our own', perhaps we should consider getting rid of this code and replace it by one or more well-supported libraries.
fastapi-jwt (well maintained, minimal, does what we want, doesn't do what we don't want, 100% code coverage)
FastAPI Users
FastAPI Sessions
httpx-oauth (used by FastAPI Users)
fastapi-nextauth-jtw
auhtlib
aioauth
The text was updated successfully, but these errors were encountered: