Add CSRF recipe into the documentation

[frankie567]

It's possible to have it thanks to asgi-csrf. A detailed explanation and example in the doc would be nice.

Add an alert in the Cookie authentication backend to invite the user to check it out.

[PunishedSnakePr]

Hi. Any news on this? Regarding CSRF protection or whatever comes from the client, is there a way to hook into the fastapi-users default routes to add custom behavior / protection /verification?

[frankie567]

Not yet, sorry. Regarding CSRF, a common way is to handle it is through a middleware, so it should be quite transparent for FastAPI Users.

Another nice option is also router-level or app-level dependencies:

• https://fastapi.tiangolo.com/tutorial/bigger-applications/#include-an-apirouter-with-a-custom-prefix-tags-responses-and-dependencies
• https://fastapi.tiangolo.com/tutorial/dependencies/global-dependencies/

[PunishedSnakePr]

Thanks for your super fast response! :)

[rbracco]

Adding onto this I think there might be a way to avoid CSRF entirely, and certain fastapi csrf extensions like this one are recommending it.

The solution is to send two cookies instead of one, one using samesite=lax and one using samesite=strict. This can be solved by implementing a DualCookieTransport that is similar to CookieTransport but just sets two cookies (using the same token), one lax and one strict. Then for routes that can do anything important, like mutate data, you can check for the presence of a strict token. This can be implemented as a dependency, but it also might be possible by extending the fastapi_users.current_user() pattern to have a strict attribute, in addition to superuser/active/verified...etc, so that then the route could just require a strict_user if necessary. Since CSRF is only a risk with cookie transport though, this might be a bad idea since it would be coupling fastapi_users.current_user to CookieTransport.

This stuff is frankly above my level but I thought I'd share it here in case anybody wanted to take it and run with it.