From a7b114725a8783c583f5c91f6266f27ae6d25e41 Mon Sep 17 00:00:00 2001 From: maozhen Date: Mon, 29 Dec 2025 14:02:57 +0800 Subject: [PATCH 1/3] ``` feat(auth): make JWT token expiration configurable via environment variable- Add JWT_LIFETIME_SECONDS environment variable to configure token expiration - Set default expiration to3600 seconds (1 hour) for both API and client auth backends - Remove hardcoded expiration values in favor of environment-based configuration - Add documentation comments explaining the JWT strategy configuration feat(auth): make cookie domain configurable via environment variable - Add AUTH_TOKEN_COOKIE_DOMAIN environment variable to configure cookie domain - When not set or empty, cookie domain defaults to None allowing cross-domain usage - Add documentation explaining cookie expiration is handled by JWT strategy - Update default_transport to use environment-based cookie domainfeat(docker): add CORS_ALLOWED_ORIGINS environment variable - Add CORS_ALLOWED_ORIGINS environment variable with default value of '*' - Configure frontend to use NEXT_PUBLIC_BACKEND_API_URL environment variable - Set default backend API URL to http://localhost:8000 feat(docker): add restart policy to all services - Add restart: always policy to cognee, frontend, neo4j, chromadb, and postgres services - This ensures services automatically restart on failure or system reboot - Improves container reliability and uptime``` --- .../authentication/default/default_transport.py | 12 +++++++++++- .../users/authentication/get_api_auth_backend.py | 6 ++++-- .../users/authentication/get_client_auth_backend.py | 4 +++- docker-compose.yml | 8 ++++++++ 4 files changed, 26 insertions(+), 4 deletions(-) diff --git a/cognee/modules/users/authentication/default/default_transport.py b/cognee/modules/users/authentication/default/default_transport.py index aed795de2..f9ec33e8d 100644 --- a/cognee/modules/users/authentication/default/default_transport.py +++ b/cognee/modules/users/authentication/default/default_transport.py @@ -1,12 +1,22 @@ import os from fastapi_users.authentication import CookieTransport +# Get cookie domain from environment variable +# If not set or empty, use None to allow cookie to work on any domain +cookie_domain = os.getenv("AUTH_TOKEN_COOKIE_DOMAIN") +if cookie_domain == "": + cookie_domain = None + +# Note: Cookie expiration is automatically set by FastAPI Users based on JWT Strategy's lifetime_seconds +# The JWT Strategy lifetime_seconds is configured in get_client_auth_backend.py +# and reads from JWT_LIFETIME_SECONDS environment variable + default_transport = CookieTransport( cookie_name=os.getenv("AUTH_TOKEN_COOKIE_NAME", "auth_token"), cookie_secure=False, cookie_httponly=True, cookie_samesite="Lax", - cookie_domain="localhost", + cookie_domain=cookie_domain, # None allows cookie to work on any domain ) default_transport.name = "cookie" diff --git a/cognee/modules/users/authentication/get_api_auth_backend.py b/cognee/modules/users/authentication/get_api_auth_backend.py index f36efafd9..8a408250c 100644 --- a/cognee/modules/users/authentication/get_api_auth_backend.py +++ b/cognee/modules/users/authentication/get_api_auth_backend.py @@ -16,8 +16,10 @@ def get_api_auth_backend(): def get_jwt_strategy() -> JWTStrategy[models.UP, models.ID]: secret = os.getenv("FASTAPI_USERS_JWT_SECRET", "super_secret") - - return APIJWTStrategy(secret, lifetime_seconds=36000) + # 使用环境变量配置过期时间,默认与 client_auth_backend 保持一致(3600秒) + lifetime_seconds = int(os.getenv("JWT_LIFETIME_SECONDS", "3600")) + + return APIJWTStrategy(secret, lifetime_seconds=lifetime_seconds) auth_backend = AuthenticationBackend( name=transport.name, diff --git a/cognee/modules/users/authentication/get_client_auth_backend.py b/cognee/modules/users/authentication/get_client_auth_backend.py index ccf59dafd..3ffe668a8 100644 --- a/cognee/modules/users/authentication/get_client_auth_backend.py +++ b/cognee/modules/users/authentication/get_client_auth_backend.py @@ -18,8 +18,10 @@ def get_client_auth_backend(): from .default.default_jwt_strategy import DefaultJWTStrategy secret = os.getenv("FASTAPI_USERS_JWT_SECRET", "super_secret") + # 使用环境变量配置过期时间,默认 3600 秒(1小时) + lifetime_seconds = int(os.getenv("JWT_LIFETIME_SECONDS", "3600")) - return DefaultJWTStrategy(secret, lifetime_seconds=3600) + return DefaultJWTStrategy(secret, lifetime_seconds=lifetime_seconds) auth_backend = AuthenticationBackend( name=transport.name, diff --git a/docker-compose.yml b/docker-compose.yml index 472f24c21..7df3c5695 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,6 +1,7 @@ services: cognee: container_name: cognee + restart: always networks: - cognee-network build: @@ -14,6 +15,7 @@ services: - HOST=0.0.0.0 - ENVIRONMENT=local - LOG_LEVEL=INFO + - CORS_ALLOWED_ORIGINS=${CORS_ALLOWED_ORIGINS:-*} extra_hosts: # Allows the container to reach your local machine using "host.docker.internal" instead of "localhost" - "host.docker.internal:host-gateway" @@ -68,6 +70,9 @@ services: # If you want to use Cognee with a UI environment you can integrate the Cognee MCP Server into Cursor / Claude Desktop / Visual Studio Code (through Cline/Roo) frontend: container_name: frontend + restart: always + environment: + - NEXT_PUBLIC_BACKEND_API_URL=${NEXT_PUBLIC_BACKEND_API_URL:-http://localhost:8000} profiles: - ui build: @@ -85,6 +90,7 @@ services: neo4j: image: neo4j:latest container_name: neo4j + restart: always profiles: - neo4j ports: @@ -99,6 +105,7 @@ services: chromadb: image: chromadb/chroma:0.6.3 container_name: chromadb + restart: always profiles: - chromadb environment: @@ -117,6 +124,7 @@ services: postgres: image: pgvector/pgvector:pg17 container_name: postgres + restart: always profiles: - postgres environment: From 5a77c36a9593e566f05d3299b5220af7b082f2a4 Mon Sep 17 00:00:00 2001 From: maozhen Date: Mon, 29 Dec 2025 14:17:30 +0800 Subject: [PATCH 2/3] ``` refactor(auth): remove redundant comments from JWT strategy configurationRemove duplicate comments that were explaining the JWT lifetime configuration in both API and client authentication backends. The code remains functionallyunchanged but comments are cleaned up for better maintainability. ``` --- cognee/modules/users/authentication/get_api_auth_backend.py | 1 - cognee/modules/users/authentication/get_client_auth_backend.py | 1 - 2 files changed, 2 deletions(-) diff --git a/cognee/modules/users/authentication/get_api_auth_backend.py b/cognee/modules/users/authentication/get_api_auth_backend.py index 8a408250c..4c11d3903 100644 --- a/cognee/modules/users/authentication/get_api_auth_backend.py +++ b/cognee/modules/users/authentication/get_api_auth_backend.py @@ -16,7 +16,6 @@ def get_api_auth_backend(): def get_jwt_strategy() -> JWTStrategy[models.UP, models.ID]: secret = os.getenv("FASTAPI_USERS_JWT_SECRET", "super_secret") - # 使用环境变量配置过期时间,默认与 client_auth_backend 保持一致(3600秒) lifetime_seconds = int(os.getenv("JWT_LIFETIME_SECONDS", "3600")) return APIJWTStrategy(secret, lifetime_seconds=lifetime_seconds) diff --git a/cognee/modules/users/authentication/get_client_auth_backend.py b/cognee/modules/users/authentication/get_client_auth_backend.py index 3ffe668a8..ba5dad2b3 100644 --- a/cognee/modules/users/authentication/get_client_auth_backend.py +++ b/cognee/modules/users/authentication/get_client_auth_backend.py @@ -18,7 +18,6 @@ def get_client_auth_backend(): from .default.default_jwt_strategy import DefaultJWTStrategy secret = os.getenv("FASTAPI_USERS_JWT_SECRET", "super_secret") - # 使用环境变量配置过期时间,默认 3600 秒(1小时) lifetime_seconds = int(os.getenv("JWT_LIFETIME_SECONDS", "3600")) return DefaultJWTStrategy(secret, lifetime_seconds=lifetime_seconds) From e47fda4872ea33c8ae0b4f0ea14a50bfcbe291e0 Mon Sep 17 00:00:00 2001 From: maozhen Date: Mon, 29 Dec 2025 14:39:13 +0800 Subject: [PATCH 3/3] ``` fix(auth): add error handling for JWT lifetime configuration - Add try-catch block to handle invalid JWT_LIFETIME_SECONDS environment variable - Default to 360 seconds when environment variable is not a valid integer - Apply same fix to both API and client authentication backendsdocs(docker): add security warning for CORS configuration - Add comment warning about default CORS_ALLOWED_ORIGINS setting - Emphasize need to override wildcard with specific domains in production ``` --- cognee/modules/users/authentication/get_api_auth_backend.py | 5 ++++- .../modules/users/authentication/get_client_auth_backend.py | 5 ++++- docker-compose.yml | 1 + 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/cognee/modules/users/authentication/get_api_auth_backend.py b/cognee/modules/users/authentication/get_api_auth_backend.py index 4c11d3903..ffb591a9d 100644 --- a/cognee/modules/users/authentication/get_api_auth_backend.py +++ b/cognee/modules/users/authentication/get_api_auth_backend.py @@ -16,7 +16,10 @@ def get_api_auth_backend(): def get_jwt_strategy() -> JWTStrategy[models.UP, models.ID]: secret = os.getenv("FASTAPI_USERS_JWT_SECRET", "super_secret") - lifetime_seconds = int(os.getenv("JWT_LIFETIME_SECONDS", "3600")) + try: + lifetime_seconds = int(os.getenv("JWT_LIFETIME_SECONDS", "3600")) + except ValueError: + lifetime_seconds = 3600 return APIJWTStrategy(secret, lifetime_seconds=lifetime_seconds) diff --git a/cognee/modules/users/authentication/get_client_auth_backend.py b/cognee/modules/users/authentication/get_client_auth_backend.py index ba5dad2b3..bf794377d 100644 --- a/cognee/modules/users/authentication/get_client_auth_backend.py +++ b/cognee/modules/users/authentication/get_client_auth_backend.py @@ -18,7 +18,10 @@ def get_client_auth_backend(): from .default.default_jwt_strategy import DefaultJWTStrategy secret = os.getenv("FASTAPI_USERS_JWT_SECRET", "super_secret") - lifetime_seconds = int(os.getenv("JWT_LIFETIME_SECONDS", "3600")) + try: + lifetime_seconds = int(os.getenv("JWT_LIFETIME_SECONDS", "3600")) + except ValueError: + lifetime_seconds = 3600 return DefaultJWTStrategy(secret, lifetime_seconds=lifetime_seconds) diff --git a/docker-compose.yml b/docker-compose.yml index 7df3c5695..ac5aebb39 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -15,6 +15,7 @@ services: - HOST=0.0.0.0 - ENVIRONMENT=local - LOG_LEVEL=INFO + # CAUTION: Default '*' allows all origins. Override with specific domains in production. - CORS_ALLOWED_ORIGINS=${CORS_ALLOWED_ORIGINS:-*} extra_hosts: # Allows the container to reach your local machine using "host.docker.internal" instead of "localhost"