{"_id":"589e2a392793e937001c15c6","parentDoc":null,"__v":0,"version":{"_id":"5589ceae9883a40d00c433f6","__v":11,"project":"5589ceae9883a40d00c433f3","createdAt":"2015-06-23T21:25:02.865Z","releaseDate":"2015-06-23T21:25:02.865Z","categories":["5589ceaf9883a40d00c433f7","559ab19d2100d117005f1269","57d4a754899ab90e00105e5d","5807813b6d24211900953b99","5819154bf62fee0f00949855","5841d27cae05ac2500ba2680","5846c4ee5d064323007b1774","589e29c72793e937001c15c5","5cf0460e272f2c0014a80d17","5cf047bde14258005d7a374e","5db6fa2c7f86fa004ff2c35b"],"is_deprecated":false,"is_hidden":false,"is_beta":true,"is_stable":true,"codename":"","version_clean":"1.0.0","version":"1.0"},"category":{"_id":"589e29c72793e937001c15c5","version":"5589ceae9883a40d00c433f6","__v":0,"project":"5589ceae9883a40d00c433f3","sync":{"url":"","isSync":false},"reference":false,"createdAt":"2017-02-10T20:59:51.280Z","from_sync":false,"order":5,"slug":"http-only-cookies","title":"Http-only cookies"},"project":"5589ceae9883a40d00c433f3","githubsync":"","user":"5542d87d795b590d001dc7ff","metadata":{"title":"","description":"","image":[]},"updates":[],"next":{"pages":[],"description":""},"createdAt":"2017-02-10T21:01:45.254Z","link_external":false,"link_url":"","sync_unique":"","hidden":false,"api":{"results":{"codes":[]},"settings":"","auth":"required","params":[],"url":""},"isReference":false,"order":1,"body":"[block:api-header]\n{\n  \"type\": \"basic\",\n  \"title\": \"1. Setup a proxy endpoint\"\n}\n[/block]\nTo enable http-only session cookies on your website, you'll need to setup an endpoint on your website that will forward requests from the widget to UserKit servers.\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"import userkit\\nuk = userkit.UserKit('{YOUR_USERKIT_SECRET_KEY}')\\n\\n\\n# Handler for /userkit-widget-proxy endpoint\\ndef widget_proxy_handler(request, response):\\n  # 1. Extract the private token from the http-only cookie.\\n  # 2. Forward the UserKit widget request to UserKit's servers,\\n  #    along with the private token.\\n  # 3. Set the http-only cookie.\\n  # 4. Return the UserKit response back to the widget.\\n  private_token = request.cookies.get('httponly_session_token')\\n  resp = uk.widget.proxy(request.data, private_token)\\n  response.set_cookie('httponly_session_token', resp.token_private,\\n                      httponly=True)\\n  response.write(resp.body)\",\n      \"language\": \"python\"\n    },\n    {\n      \"code\": \"from flask import Flask, request, make_response\\napp = Flask(__name__)\\nimport userkit\\nuk = userkit.UserKit('{YOUR_USERKIT_SECRET_KEY}')\\n\\n\\n:::at:::app.route('/userkit-widget-proxy')\\ndef userkit_widget_proxy():\\n  # 1. Extract the private token from the http-only cookie.\\n  # 2. Forward the UserKit widget request to UserKit's servers,\\n  #    along with the private token.\\n  # 3. Set the http-only cookie.\\n  # 4. Return the UserKit response back to the widget.\\n  private_token = request.cookies.get('httponly_session_token')\\n  resp = uk.widget.proxy(request.data, private_token)\\n  response = make_response(resp.response)\\n  response.set_cookie('httponly_session_token', resp.token_private,\\n                      httponly=True)\\n  return response\",\n      \"language\": \"python\",\n      \"name\": \"Python (Flask)\"\n    },\n    {\n      \"code\": \"import webapp2\\nimport userkit\\nuk = userkit.UserKit('{YOUR_USERKIT_SECRET_KEY}')\\n\\n\\n# Handler for /userkit-widget-proxy endpoint\\nclass UserKitWidgetProxy(webapp2.RequestHandler):\\n  \\n  def post(self):\\n    # 1. Extract the private token from the http-only cookie.\\n    # 2. Forward the UserKit widget request to UserKit's servers,\\n    #    along with the private token.\\n    # 3. Set the http-only cookie.\\n    # 4. Return the UserKit response back to the widget.\\n    private_token = self.request.cookies.get('httponly_session_token')\\n    resp = uk.widget.proxy(self.request.body, private_token)\\n    self.response.set_cookie('httponly_session_token',\\n                             resp.private_token,\\n                             httponly=True)\\n    self.response.write(resp.response)\",\n      \"language\": \"python\",\n      \"name\": \"Python (App Engine)\"\n    }\n  ]\n}\n[/block]\n\n[block:api-header]\n{\n  \"type\": \"basic\",\n  \"title\": \"2. Configure the UserKit widget\"\n}\n[/block]\nNext you'll need to tell the UserKit widget that it should make requests to the endpoint you setup in step 1. Do this by setting the `data-proxy` data property:\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"<script src=\\\"https://widget.userkit.io/widget.js\\\"\\n\\tdata-proxy=\\\"/userkit-widget-proxy\\\">\\n</script>\",\n      \"language\": \"html\"\n    }\n  ]\n}\n[/block]\n\n[block:api-header]\n{\n  \"type\": \"basic\",\n  \"title\": \"3. Getting a user server-side with the http-only token\"\n}\n[/block]\nWhen you want to fetch a user via the server SDK, you'll need to pass the http-only token along with the usual session token.\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"import userkit\\nuk = userkit.UserKit(\\\"<YOUR_APP_SECRET_KEY>\\\")\\n\\n\\ndef request_handler(request, response):\\n  # Along with the usual session token, you'll also need\\n  # to pass in the private token from the httponly cookie\\n  # you set in your widget proxy endpoint\\n  token = request.get_cookie(\\\"userkit_auth_token\\\")\\n  httponly_token = request.get_cookie(\\\"httponly_session_token\\\")\\n  user = uk.users.get_current_user(token, httponly_token)\\n  \\n  if user:\\n    # There's a logged in user\\n    response.write(\\\"Welcome, {}\\\".format(user.name))\\n  else:\\n    # No logged in user, redirect to login page\\n    response.redirect(\\\"/account.html\\\")\",\n      \"language\": \"python\"\n    }\n  ]\n}\n[/block]","excerpt":"","slug":"setup-userkit-with-http-only-cookies","type":"basic","title":"Setup UserKit with HTTP-only cookies"}

Overview

Javascript Widget

Server API

Invites

Sending emails

Http-only cookies

Dashboard

Testing

Setup UserKit with HTTP-only cookies

[block:api-header] { "type": "basic", "title": "1. Setup a proxy endpoint" } [/block] To enable http-only session cookies on your website, you'll need to setup an endpoint on your website that will forward requests from the widget to UserKit servers. [block:code] { "codes": [ { "code": "import userkit\nuk = userkit.UserKit('{YOUR_USERKIT_SECRET_KEY}')\n\n\n# Handler for /userkit-widget-proxy endpoint\ndef widget_proxy_handler(request, response):\n # 1. Extract the private token from the http-only cookie.\n # 2. Forward the UserKit widget request to UserKit's servers,\n # along with the private token.\n # 3. Set the http-only cookie.\n # 4. Return the UserKit response back to the widget.\n private_token = request.cookies.get('httponly_session_token')\n resp = uk.widget.proxy(request.data, private_token)\n response.set_cookie('httponly_session_token', resp.token_private,\n httponly=True)\n response.write(resp.body)", "language": "python" }, { "code": "from flask import Flask, request, make_response\napp = Flask(__name__)\nimport userkit\nuk = userkit.UserKit('{YOUR_USERKIT_SECRET_KEY}')\n\n\[email protected]('/userkit-widget-proxy')\ndef userkit_widget_proxy():\n # 1. Extract the private token from the http-only cookie.\n # 2. Forward the UserKit widget request to UserKit's servers,\n # along with the private token.\n # 3. Set the http-only cookie.\n # 4. Return the UserKit response back to the widget.\n private_token = request.cookies.get('httponly_session_token')\n resp = uk.widget.proxy(request.data, private_token)\n response = make_response(resp.response)\n response.set_cookie('httponly_session_token', resp.token_private,\n httponly=True)\n return response", "language": "python", "name": "Python (Flask)" }, { "code": "import webapp2\nimport userkit\nuk = userkit.UserKit('{YOUR_USERKIT_SECRET_KEY}')\n\n\n# Handler for /userkit-widget-proxy endpoint\nclass UserKitWidgetProxy(webapp2.RequestHandler):\n \n def post(self):\n # 1. Extract the private token from the http-only cookie.\n # 2. Forward the UserKit widget request to UserKit's servers,\n # along with the private token.\n # 3. Set the http-only cookie.\n # 4. Return the UserKit response back to the widget.\n private_token = self.request.cookies.get('httponly_session_token')\n resp = uk.widget.proxy(self.request.body, private_token)\n self.response.set_cookie('httponly_session_token',\n resp.private_token,\n httponly=True)\n self.response.write(resp.response)", "language": "python", "name": "Python (App Engine)" } ] } [/block] [block:api-header] { "type": "basic", "title": "2. Configure the UserKit widget" } [/block] Next you'll need to tell the UserKit widget that it should make requests to the endpoint you setup in step 1. Do this by setting the `data-proxy` data property: [block:code] { "codes": [ { "code": "<script src=\"https://widget.userkit.io/widget.js\"\n\tdata-proxy=\"/userkit-widget-proxy\">\n</script>", "language": "html" } ] } [/block] [block:api-header] { "type": "basic", "title": "3. Getting a user server-side with the http-only token" } [/block] When you want to fetch a user via the server SDK, you'll need to pass the http-only token along with the usual session token. [block:code] { "codes": [ { "code": "import userkit\nuk = userkit.UserKit(\"<YOUR_APP_SECRET_KEY>\")\n\n\ndef request_handler(request, response):\n # Along with the usual session token, you'll also need\n # to pass in the private token from the httponly cookie\n # you set in your widget proxy endpoint\n token = request.get_cookie(\"userkit_auth_token\")\n httponly_token = request.get_cookie(\"httponly_session_token\")\n user = uk.users.get_current_user(token, httponly_token)\n \n if user:\n # There's a logged in user\n response.write(\"Welcome, {}\".format(user.name))\n else:\n # No logged in user, redirect to login page\n response.redirect(\"/account.html\")", "language": "python" } ] } [/block]