feat(auth): add PUBLIC_IPS env var and cookie-based session auth

- Add _parse_public_ips() to populate IPConfig.public_ips from
  comma-separated PUBLIC_IPS env var
- get_current_user falls back to session_token cookie when no
  Bearer token is present
- /token and /auth/login endpoints set httponly session_token cookie
  on successful authentication
- Add 12 unit tests and 4 e2e tests covering IP whitelisting and
  cookie auth paths

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: pythoninthegrass

app/main.py

@@ -14,7 +14,7 @@
 from decouple import config
 from fastapi import APIRouter, Depends, FastAPI, Form, HTTPException, Request, status
 from fastapi.middleware.cors import CORSMiddleware
-from fastapi.responses import HTMLResponse, RedirectResponse
+from fastapi.responses import HTMLResponse, JSONResponse, RedirectResponse
 from fastapi.security import OAuth2PasswordBearer, OAuth2PasswordRequestForm
 from fastapi.templating import Jinja2Templates
 from icecream import ic
@@ -86,12 +86,17 @@
 DISABLE_IP_WHITELIST = config("DISABLE_IP_WHITELIST", default=False, cast=bool)
 
 
+def _parse_public_ips() -> list[str]:
+    raw = config("PUBLIC_IPS", default="")
+    return [ip.strip() for ip in raw.split(",") if ip.strip()]
+
+
 class IPConfig(BaseModel):
     whitelist: list[str] = ["localhost", "127.0.0.1"]
     public_ips: list[str] = []
 
 
-ip_config = IPConfig()
+ip_config = IPConfig(public_ips=_parse_public_ips())
 
 
 def is_ip_allowed(request: Request):
@@ -208,8 +213,10 @@ def create_access_token(data: dict, expires_delta: timedelta | None = None):
     return encoded_jwt
 
 
-async def get_current_user(token: str | None = Depends(oauth2_scheme)):
-    """Get current user"""
+async def get_current_user(request: Request, token: str | None = Depends(oauth2_scheme)):
+    """Get current user from Bearer token or session_token cookie."""
+    if token is None:
+        token = request.cookies.get("session_token")
     if token is None:
         return None
     credentials_exception = HTTPException(
@@ -280,7 +287,16 @@ async def login_for_oauth_token(form_data: OAuth2PasswordRequestForm = Depends()
     oauth_token_expires = timedelta(minutes=TOKEN_EXPIRE)
     oauth_token = create_access_token(data={"sub": user.username}, expires_delta=oauth_token_expires)
 
-    return {"access_token": oauth_token, "token_type": "bearer"}
+    response = JSONResponse(content={"access_token": oauth_token, "token_type": "bearer"})
+    response.set_cookie(
+        key="session_token",
+        value=oauth_token,
+        httponly=True,
+        secure=not DEV,
+        samesite="lax",
+        max_age=TOKEN_EXPIRE * 60,
+    )
+    return response
 
 
 """
@@ -318,7 +334,18 @@ def index(request: Request):
 def login(request: Request, username: str = Form(...), password: str = Form(...)):
     """Redirect to "/docs" from index page if user successfully logs in with HTML form"""
     if load_user(username) and verify_password(password, load_user(username).hashed_password):
-        return RedirectResponse(url="/docs", status_code=303)
+        oauth_token_expires = timedelta(minutes=TOKEN_EXPIRE)
+        oauth_token = create_access_token(data={"sub": username}, expires_delta=oauth_token_expires)
+        response = RedirectResponse(url="/docs", status_code=303)
+        response.set_cookie(
+            key="session_token",
+            value=oauth_token,
+            httponly=True,
+            secure=not DEV,
+            samesite="lax",
+            max_age=TOKEN_EXPIRE * 60,
+        )
+        return response
 
 
 @api_router.get("/token")

backlog/tasks/task-013 - Add-IP-whitelisting-and-cookie-based-session-auth.md

@@ -1,17 +1,18 @@
 ---
 id: TASK-013
 title: Add IP whitelisting and cookie-based session auth
-status: To Do
-assignee: []
+status: Done
+assignee:
+  - Claude
 created_date: '2026-02-27 00:54'
-updated_date: '2026-03-17 02:09'
+updated_date: '2026-03-20 23:34'
 labels:
   - auth
 dependencies: []
 references:
   - app/main.py
 priority: medium
-ordinal: 6000
+ordinal: 2500
 ---
 
 ## Description
@@ -22,8 +23,38 @@ Two auth improvements: (1) populate public_ips in IPConfig so external IPs can b
 
 ## Acceptance Criteria
 <!-- AC:BEGIN -->
-- [ ] #1 IPConfig.public_ips is configurable (env var or config file) and tested
-- [ ] #2 User session is persisted in a secure, httponly cookie
-- [ ] #3 Existing bearer token auth still works alongside cookie auth
-- [ ] #4 Tests cover both cookie-based and IP-whitelisted auth paths
+- [x] #1 IPConfig.public_ips is configurable (env var or config file) and tested
+- [x] #2 User session is persisted in a secure, httponly cookie
+- [x] #3 Existing bearer token auth still works alongside cookie auth
+- [x] #4 Tests cover both cookie-based and IP-whitelisted auth paths
 <!-- AC:END -->
+
+## Implementation Plan
+
+<!-- SECTION:PLAN:BEGIN -->
+## Implementation Plan
+
+### AC #1: IPConfig.public_ips configurable via env var
+- Add `PUBLIC_IPS` env var (comma-separated) read via `decouple.config`
+- Pass into `IPConfig(public_ips=...)` at initialization
+- Empty/unset means no public IPs (current default)
+
+### AC #2: Cookie-based session persistence
+- After successful login at `/token` and `/auth/login`, set `session_token` httponly cookie with the JWT
+- Modify `get_current_user` to check cookie fallback when no Bearer token present
+- Cookie attrs: httponly, secure (HTTPS), samesite=lax, max_age from TOKEN_EXPIRE
+
+### AC #3: Bearer token still works alongside cookie
+- `get_current_user` checks Bearer first, falls back to cookie — no breaking changes
+- `ip_whitelist_or_auth` unchanged
+
+### AC #4: Tests
+- Unit: IPConfig with PUBLIC_IPS env var, is_ip_allowed with public IPs, get_current_user cookie extraction
+- E2E: login sets cookie, subsequent cookied request works, bearer still works
+<!-- SECTION:PLAN:END -->
+
+## Implementation Notes
+
+<!-- SECTION:NOTES:BEGIN -->
+All 4 ACs implemented and tested. 12 new unit tests + 4 new e2e tests. 88 total tests passing.
+<!-- SECTION:NOTES:END -->

tests/test_e2e.py

@@ -216,3 +216,42 @@ def test_get_events_authenticated(self, auth_session, base_url):
     def test_get_events_no_params_uses_defaults(self, auth_session, base_url):
         resp = auth_session.get(f"{base_url}/api/events")
         assert resp.status_code == 200
+
+
+@pytest.mark.e2e
+class TestCookieAuth:
+    def test_token_endpoint_sets_session_cookie(self, e2e_server, base_url):
+        with httpx.Client() as client:
+            resp = client.post(
+                f"{base_url}/token",
+                data={"username": e2e_server["db_user"], "password": e2e_server["db_pass"]},
+            )
+            assert resp.status_code == 200
+            assert "session_token" in resp.cookies
+
+    def test_cookie_auth_accesses_protected_endpoint(self, e2e_server, base_url):
+        with httpx.Client() as client:
+            resp = client.post(
+                f"{base_url}/token",
+                data={"username": e2e_server["db_user"], "password": e2e_server["db_pass"]},
+            )
+            assert resp.status_code == 200
+            cookie_token = resp.cookies["session_token"]
+
+            client.cookies.set("session_token", cookie_token)
+            resp = client.get(f"{base_url}/api/events")
+            assert resp.status_code == 200
+
+    def test_bearer_still_works_without_cookie(self, auth_session, base_url):
+        resp = auth_session.get(f"{base_url}/api/events")
+        assert resp.status_code == 200
+
+    def test_form_login_sets_session_cookie(self, e2e_server, base_url):
+        with httpx.Client() as client:
+            resp = client.post(
+                f"{base_url}/auth/login",
+                data={"username": e2e_server["db_user"], "password": e2e_server["db_pass"]},
+                follow_redirects=False,
+            )
+            assert resp.status_code == 303
+            assert "session_token" in resp.cookies

tests/test_unit.py

@@ -13,7 +13,7 @@
 from fastapi import HTTPException
 from fastapi.testclient import TestClient
 from jose import jwt
-from main import UserInDB, app, get_current_user
+from main import IPConfig, UserInDB, app, get_current_user, is_ip_allowed
 from meetup_query import (
     build_batched_group_query,
     export_to_file,
@@ -466,6 +466,141 @@ def test_invalid_token(raw_test_client):
         assert "detail" in response.json()
 
 
+# ── IP whitelisting tests ──────────────────────────────────────────
+
+
+@pytest.mark.unit
+class TestIPConfigPublicIps:
+    """IPConfig.public_ips should be configurable via PUBLIC_IPS env var."""
+
+    def test_default_public_ips_empty(self):
+        cfg = IPConfig()
+        assert cfg.public_ips == []
+
+    def test_public_ips_from_env_single(self):
+        with patch.dict(os.environ, {"PUBLIC_IPS": "10.0.0.1"}):
+            from main import _parse_public_ips
+
+            ips = _parse_public_ips()
+            assert ips == ["10.0.0.1"]
+
+    def test_public_ips_from_env_multiple(self):
+        with patch.dict(os.environ, {"PUBLIC_IPS": "10.0.0.1,192.168.1.1,172.16.0.1"}):
+            from main import _parse_public_ips
+
+            ips = _parse_public_ips()
+            assert ips == ["10.0.0.1", "192.168.1.1", "172.16.0.1"]
+
+    def test_public_ips_from_env_empty(self):
+        with patch.dict(os.environ, {"PUBLIC_IPS": ""}):
+            from main import _parse_public_ips
+
+            ips = _parse_public_ips()
+            assert ips == []
+
+    def test_public_ips_strips_whitespace(self):
+        with patch.dict(os.environ, {"PUBLIC_IPS": " 10.0.0.1 , 192.168.1.1 "}):
+            from main import _parse_public_ips
+
+            ips = _parse_public_ips()
+            assert ips == ["10.0.0.1", "192.168.1.1"]
+
+
+@pytest.mark.unit
+class TestIsIpAllowedWithPublicIps:
+    """is_ip_allowed should match against both whitelist and public_ips."""
+
+    def test_allowed_via_public_ips(self):
+        mock_request = MagicMock()
+        mock_request.client.host = "203.0.113.50"
+        with patch("main.ip_config", IPConfig(public_ips=["203.0.113.50"])):
+            assert is_ip_allowed(mock_request) is True
+
+    def test_denied_when_not_in_either_list(self):
+        mock_request = MagicMock()
+        mock_request.client.host = "203.0.113.99"
+        with patch("main.ip_config", IPConfig(public_ips=["203.0.113.50"])):
+            assert is_ip_allowed(mock_request) is False
+
+    def test_allowed_via_whitelist(self):
+        mock_request = MagicMock()
+        mock_request.client.host = "127.0.0.1"
+        with patch("main.ip_config", IPConfig()):
+            assert is_ip_allowed(mock_request) is True
+
+
+# ── Cookie auth tests ─────────────────────────────────────────────
+
+
+@pytest.mark.unit
+class TestCookieAuth:
+    """get_current_user should fall back to session_token cookie when no Bearer token."""
+
+    def test_cookie_auth_returns_user(self, raw_test_client):
+        from main import ALGORITHM, SECRET_KEY, get_password_hash
+
+        token = jwt.encode({"sub": "testuser"}, SECRET_KEY, algorithm=ALGORITHM)
+        with (
+            patch("main.DEV", False),
+            patch("main.is_ip_allowed", return_value=False),
+            patch(
+                "main.get_user",
+                return_value=UserInDB(
+                    username="testuser",
+                    email="test@example.com",
+                    hashed_password=get_password_hash("pass"),
+                ),
+            ),
+        ):
+            raw_test_client.cookies.set("session_token", token)
+            response = raw_test_client.get("/api/events")
+            raw_test_client.cookies.clear()
+            assert response.status_code == 200
+
+    def test_bearer_takes_precedence_over_cookie(self, raw_test_client):
+        from main import ALGORITHM, SECRET_KEY, get_password_hash
+
+        good_token = jwt.encode({"sub": "testuser"}, SECRET_KEY, algorithm=ALGORITHM)
+        bad_cookie = "invalid_cookie_token"
+        with (
+            patch("main.DEV", False),
+            patch("main.is_ip_allowed", return_value=False),
+            patch(
+                "main.get_user",
+                return_value=UserInDB(
+                    username="testuser",
+                    email="test@example.com",
+                    hashed_password=get_password_hash("pass"),
+                ),
+            ),
+        ):
+            raw_test_client.cookies.set("session_token", bad_cookie)
+            response = raw_test_client.get(
+                "/api/events",
+                headers={"Authorization": f"Bearer {good_token}"},
+            )
+            raw_test_client.cookies.clear()
+            assert response.status_code == 200
+
+    def test_invalid_cookie_returns_401(self, raw_test_client):
+        with (
+            patch("main.DEV", False),
+            patch("main.is_ip_allowed", return_value=False),
+        ):
+            raw_test_client.cookies.set("session_token", "invalid")
+            response = raw_test_client.get("/api/events")
+            raw_test_client.cookies.clear()
+            assert response.status_code == 401
+
+    def test_no_token_no_cookie_returns_401(self, raw_test_client):
+        with (
+            patch("main.DEV", False),
+            patch("main.is_ip_allowed", return_value=False),
+        ):
+            response = raw_test_client.get("/api/events")
+            assert response.status_code == 401
+
+
 # ── Deprecation / bcrypt tests ──────────────────────────────────────