From a76263097ab300c155a2c7f4341aa57c4a9827ef Mon Sep 17 00:00:00 2001
From: anovazzi1 <otavio2204@gmail.com>
Date: Fri, 5 Jan 2024 20:32:23 -0300
Subject: [PATCH] Add cookies for access and refresh tokens

---
 src/backend/langflow/api/v1/login.py | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/src/backend/langflow/api/v1/login.py b/src/backend/langflow/api/v1/login.py
index 9021b40b6..2ff2858a4 100644
--- a/src/backend/langflow/api/v1/login.py
+++ b/src/backend/langflow/api/v1/login.py
@@ -1,4 +1,4 @@
-from fastapi import APIRouter, Depends, HTTPException, status
+from fastapi import Response, APIRouter, Depends, HTTPException, status
 from fastapi.security import OAuth2PasswordRequestForm
 from sqlmodel import Session
 
@@ -16,6 +16,7 @@ router = APIRouter(tags=["Login"])
 
 @router.post("/login", response_model=Token)
 async def login_to_get_access_token(
+    response: Response,
     form_data: OAuth2PasswordRequestForm = Depends(),
     db: Session = Depends(get_session),
     # _: Session = Depends(get_current_active_user)
@@ -31,7 +32,10 @@ async def login_to_get_access_token(
         ) from exc
 
     if user:
-        return create_user_tokens(user_id=user.id, db=db, update_last_login=True)
+        tokens = create_user_tokens(user_id=user.id, db=db, update_last_login=True)
+        response.set_cookie("refresh_token_lf", tokens["refresh_token"], httponly=True, secure=True, samesite="strict")
+        response.set_cookie("access_token_lf", tokens["access_token"], httponly=False, secure=True, samesite="strict")
+        return tokens
     else:
         raise HTTPException(
             status_code=status.HTTP_401_UNAUTHORIZED,
@@ -55,9 +59,12 @@ async def auto_login(db: Session = Depends(get_session), settings_service=Depend
 
 
 @router.post("/refresh")
-async def refresh_token(token: str):
+async def refresh_token(response: Response, token: str):
     if token:
-        return create_refresh_token(token)
+        tokens = create_refresh_token(token)
+        response.set_cookie("refresh_token_lf", tokens["refresh_token"], httponly=True, secure=True, samesite="strict")
+        response.set_cookie("access_token_lf", tokens["access_token"], httponly=False, secure=True, samesite="strict")
+        return tokens
     else:
         raise HTTPException(
             status_code=status.HTTP_401_UNAUTHORIZED,