Sign in

Setup UserKit with HTTP-only cookies

1. Setup a proxy endpoint

To enable http-only session cookies on your website, you'll need to setup an endpoint on your website that will forward requests from the widget to UserKit servers.

import userkit
uk = userkit.UserKit('{YOUR_USERKIT_SECRET_KEY}')


# Handler for /userkit-widget-proxy endpoint
def widget_proxy_handler(request, response):
  # 1. Extract the private token from the http-only cookie.
  # 2. Forward the UserKit widget request to UserKit's servers,
  #    along with the private token.
  # 3. Set the http-only cookie.
  # 4. Return the UserKit response back to the widget.
  private_token = request.cookies.get('httponly_session_token')
  resp = uk.widget.proxy(request.data, private_token)
  response.set_cookie('httponly_session_token', resp.token_private,
                      httponly=True)
  response.write(resp.body)

from flask import Flask, request, make_response
app = Flask(__name__)
import userkit
uk = userkit.UserKit('{YOUR_USERKIT_SECRET_KEY}')


@app.route('/userkit-widget-proxy')
def userkit_widget_proxy():
  # 1. Extract the private token from the http-only cookie.
  # 2. Forward the UserKit widget request to UserKit's servers,
  #    along with the private token.
  # 3. Set the http-only cookie.
  # 4. Return the UserKit response back to the widget.
  private_token = request.cookies.get('httponly_session_token')
  resp = uk.widget.proxy(request.data, private_token)
  response = make_response(resp.response)
  response.set_cookie('httponly_session_token', resp.token_private,
                      httponly=True)
  return response

import webapp2
import userkit
uk = userkit.UserKit('{YOUR_USERKIT_SECRET_KEY}')


# Handler for /userkit-widget-proxy endpoint
class UserKitWidgetProxy(webapp2.RequestHandler):
  
  def post(self):
    # 1. Extract the private token from the http-only cookie.
    # 2. Forward the UserKit widget request to UserKit's servers,
    #    along with the private token.
    # 3. Set the http-only cookie.
    # 4. Return the UserKit response back to the widget.
    private_token = self.request.cookies.get('httponly_session_token')
    resp = uk.widget.proxy(self.request.body, private_token)
    self.response.set_cookie('httponly_session_token',
                             resp.private_token,
                             httponly=True)
    self.response.write(resp.response)

2. Configure the UserKit widget

Next you'll need to tell the UserKit widget that it should make requests to the endpoint you setup in step 1. Do this by setting the data-proxy data property:

<script src="https://widget.userkit.io/widget.js"
	data-proxy="/userkit-widget-proxy">
</script>

3. Getting a user server-side with the http-only token

When you want to fetch a user via the server SDK, you'll need to pass the http-only token along with the usual session token.

import userkit
uk = userkit.UserKit("<YOUR_APP_SECRET_KEY>")


def request_handler(request, response):
  # Along with the usual session token, you'll also need
  # to pass in the private token from the httponly cookie
  # you set in your widget proxy endpoint
  token = request.get_cookie("userkit_auth_token")
  httponly_token = request.get_cookie("httponly_session_token")
  user = uk.users.get_current_user(token, httponly_token)
  
  if user:
    # There's a logged in user
    response.write("Welcome, {}".format(user.name))
  else:
    # No logged in user, redirect to login page
    response.redirect("/account.html")