""" Cookie Utilities for Authentication Handles HttpOnly cookie creation for JWT tokens. Supports both access and refresh tokens with appropriate security settings. Author: Claude (Jarvis) Date: 2025-11-27 """ from fastapi import Response from app.config import get_settings settings = get_settings() # Cookie configuration ACCESS_TOKEN_COOKIE = "pd_access_token" REFRESH_TOKEN_COOKIE = "pd_refresh_token" ACCESS_TOKEN_MAX_AGE = 60 * 60 # 1 hour REFRESH_TOKEN_MAX_AGE = 60 * 60 * 24 * 7 # 7 days def is_production() -> bool: """Check if running in production environment.""" return getattr(settings, "app_env", "development") == "production" def set_auth_cookies( response: Response, access_token: str, refresh_token: str, ) -> None: """ Set both access and refresh token cookies on response. Security settings: - HttpOnly: Prevents XSS access to tokens - Secure: HTTPS only in production - SameSite=Lax: CSRF protection while allowing top-level navigations - Path: Limits cookie scope Args: response: FastAPI Response object access_token: JWT access token refresh_token: JWT refresh token """ # Access token - short-lived, sent to all /api endpoints response.set_cookie( key=ACCESS_TOKEN_COOKIE, value=access_token, max_age=ACCESS_TOKEN_MAX_AGE, httponly=True, secure=is_production(), samesite="lax", path="/api", ) # Refresh token - long-lived, restricted to auth endpoints only response.set_cookie( key=REFRESH_TOKEN_COOKIE, value=refresh_token, max_age=REFRESH_TOKEN_MAX_AGE, httponly=True, secure=is_production(), samesite="lax", path="/api/auth", ) def clear_auth_cookies(response: Response) -> None: """ Clear all auth cookies (logout). Args: response: FastAPI Response object """ response.delete_cookie(key=ACCESS_TOKEN_COOKIE, path="/api") response.delete_cookie(key=REFRESH_TOKEN_COOKIE, path="/api/auth")