chore(deps): Bump fastapi-users from 14.0.1 to 15.0.2 in /backend/requirements

[dependabot]

Bumps fastapi-users from 14.0.1 to 15.0.2.

Release notes

Sourced from fastapi-users's releases.

v15.0.2

Bump version 15.0.1 → 15.0.2

🛡️ Security Fix

A CSRF vulnerability was identified in the OAuth2 flow. To mitigate this, the authorize endpoint will set a cookie in the response, and this cookie will be expected in the callback request.

In most cases, this change should work out-of-the-box, but in certain scenarios (e.g. cross-domain setups), additional configuration may be required for the cookie to be correctly sent and received. [Read more]

Thanks to @​davidbors-snyk from Snyk for his research, responisble disclosure, and assistance in fixing this issue.

Improvements

• Bump dependencies
  • python-multipart ==0.0.21
  • pwdlib[argon2,bcrypt] ==0.3.0

v15.0.1

Bump version 15.0.0 → 15.0.1

Announcement

FastAPI Users is now in maintenance mode.** While we'll continue to provide security updates and dependency maintenance, no new features will be added. We encourage you to explore the project and use it as-is, knowing it will remain stable and secure.

[Read more]

Bug fixes

• Handle expired JWT when handling OAuth callback (#1462). Thanks @​mdaffad 🎉

v15.0.0

Bump version 14.0.2 → 15.0.0

Announcement

FastAPI Users is now in maintenance mode.** While we'll continue to provide security updates and dependency maintenance, no new features will be added. We encourage you to explore the project and use it as-is, knowing it will remain stable and secure.

[Read more]

Breaking changes

• Drop Python 3.9 support.
• Drop Pydantic v1 support.

... (truncated)

Commits

• 1df7c10 Bump version 15.0.1 → 15.0.2
• a8848ec Bump pwdlib[argon2,bcrypt] from 0.2.1 to 0.3.0
• ce42fd7 Bump python-multipart from 0.0.20 to 0.0.21
• 32cd433 Bump actions/checkout from 5 to 6
• 7cf413c Add a double-submit cookie in the OAuth flow
• bcee8c9 Update README
• 119a5ca Bump version 15.0.0 → 15.0.1
• c09b16f Fix docstring
• eaf78f7 docs: update .all-contributorsrc [skip ci]
• b11ad37 docs: update README.md [skip ci]
• Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

---

Summary by cubic

Upgrade fastapi-users from 14.0.1 to 15.0.2 and add a double-submit CSRF cookie to the OAuth2 authorize/callback endpoints to address the OAuth CSRF vulnerability.

• Dependencies

  • Bump fastapi-users to 15.0.2.
  • Update python-multipart to 0.0.21 and pwdlib to 0.3.0.

• Migration

  • Require Python ≥ 3.10 and Pydantic v2.
  • If using OAuth across domains, configure the onyx_oauth_csrf cookie (domain/secure/SameSite) to ensure it’s sent correctly.

^{Written for commit 1db8517. Summary will update on new commits.}

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

• [Optional] Override Linear Check

[cubic-dev-ai]

No issues found across 1 file

[greptile-apps]

Greptile Overview

Greptile Summary

This PR upgrades fastapi-users from 14.0.1 to 15.0.2, which includes a critical security fix for a CSRF vulnerability in the OAuth2 flow (CVE discovered by Snyk). The upgrade also includes improvements to expired JWT handling during OAuth callbacks.

Key Changes

Security Fix (v15.0.2)

The OAuth2 authorization flow now implements double-submit cookie CSRF protection. When a user initiates OAuth login via /authorize, the backend sets a CSRF cookie that must be present in the /callback request. This prevents CSRF attacks where malicious sites could initiate OAuth flows on behalf of users.

Breaking Changes (v15.0.0)

• Dropped Python 3.9 support (requires Python ≥3.10)
• Dropped Pydantic v1 support (requires Pydantic v2)

Both breaking changes are already satisfied by this project:

• Project requires Python ≥3.11 (see pyproject.toml line 9)
• Project uses Pydantic 2.11.7 (see pyproject.toml line 19)

Dependency Updates

• pwdlib: 0.2.1 → 0.3.0 (transitive dependency)
• python-multipart: 0.0.20 → 0.0.21 (transitive dependency)

Compatibility Analysis

✅ Python Version: Project requires ≥3.11, which exceeds fastapi-users v15's requirement of ≥3.10

✅ Pydantic Version: Project uses Pydantic 2.11.7, compatible with fastapi-users v15's requirement for Pydantic v2

✅ fastapi-users-db-sqlalchemy: Version 5.0.0 is compatible with fastapi-users ≥10.0.0 (checked uv.lock)

✅ OAuth Implementation: The codebase uses custom OAuth router implementation (create_onyx_oauth_router in backend/onyx/auth/users.py lines 1408-1424) that calls the standard get_oauth_router function. The CSRF cookie mechanism is handled internally by fastapi-users and should work transparently.

CSRF Cookie Considerations

The new CSRF protection uses cookies that should work out-of-the-box for this application because:

1. Same-domain setup: The OAuth authorize and callback endpoints are on the same domain as the Onyx backend
2. Cookie configuration: The existing CookieTransport already sets cookie_secure based on HTTPS detection (line 850 in auth/users.py)
3. No cross-domain flows detected: OAuth callbacks redirect back to the same backend instance

Note: If this application is deployed with a separate frontend domain or uses cross-origin OAuth flows, cookie configuration may need adjustment (domain, SameSite, Secure flags). The fastapi-users documentation mentions this: cross-domain setups may require explicit cookie configuration.

Risk Assessment

• Security Impact: HIGH POSITIVE - Fixes critical CSRF vulnerability in OAuth flow
• Breaking Change Impact: NONE - Project already meets new requirements
• Code Changes Required: NONE - CSRF protection is transparent to existing code
• Testing Recommendation: Verify OAuth login flows (Google, OIDC) work correctly after upgrade

Confidence Score: 5/5

• This PR is safe to merge with high confidence - it's a security upgrade with no breaking changes affecting this codebase
• Score of 5 reflects: (1) Critical security fix for OAuth CSRF vulnerability, (2) All breaking changes (Python ≥3.10, Pydantic v2) are already satisfied by the project's requirements (Python ≥3.11, Pydantic 2.11.7), (3) No code changes required - CSRF protection is transparent, (4) Compatible fastapi-users-db-sqlalchemy version (5.0.0 works with fastapi-users ≥10.0.0), (5) OAuth implementation uses standard patterns that will work with new CSRF cookies, (6) Same-domain OAuth setup means cookie handling should work out-of-the-box
• No files require special attention - this is a straightforward dependency version bump with transparent security improvements

Important Files Changed

File Analysis

Filename	Score	Overview
backend/requirements/default.txt	5/5	Updates fastapi-users from 14.0.1 to 15.0.2, pwdlib from 0.2.1 to 0.3.0, and python-multipart from 0.0.20 to 0.0.21 - all changes are transitive dependencies of fastapi-users upgrade
pyproject.toml	5/5	Updates fastapi-users to 15.0.2 and python-multipart to 0.0.21 in backend dependencies - compatible with existing Python >=3.11 and Pydantic v2 requirements
uv.lock	5/5	Lock file updates for fastapi-users 15.0.2, pwdlib 0.3.0, and python-multipart 0.0.21 with updated hashes and metadata

Sequence Diagram

sequenceDiagram
    participant User
    participant Browser
    participant OnyxApp as Onyx Backend
    participant OAuthProvider as OAuth Provider (Google/OIDC)
    
    Note over OnyxApp,OAuthProvider: New CSRF Protection in v15.0.2
    
    User->>Browser: Click "Login with OAuth"
    Browser->>OnyxApp: GET /auth/oauth/authorize
    
    Note over OnyxApp: Generate state token (JWT)
    OnyxApp->>OnyxApp: Set CSRF cookie in response
    Note right of OnyxApp: New in v15.0.2:<br/>Double-submit cookie pattern
    
    OnyxApp-->>Browser: 200 OK + CSRF Cookie + Authorization URL
    Browser->>OAuthProvider: Redirect to authorization_url
    
    User->>OAuthProvider: Authenticate & Grant Permissions
    OAuthProvider-->>Browser: Redirect to callback with code + state
    
    Browser->>OnyxApp: GET /auth/oauth/callback?code=...&state=...
    Note right of Browser: Includes CSRF cookie
    
    OnyxApp->>OnyxApp: Verify CSRF cookie matches
    Note right of OnyxApp: New validation in v15.0.2:<br/>Cookie must be present<br/>and match state parameter
    
    alt CSRF Cookie Valid
        OnyxApp->>OAuthProvider: Exchange code for access_token
        OAuthProvider-->>OnyxApp: Return access_token + user info
        OnyxApp->>OnyxApp: Create/update user via oauth_callback()
        OnyxApp->>OnyxApp: Create session token
        OnyxApp-->>Browser: 302 Redirect + Session Cookie
        Browser->>User: Logged in successfully
    else CSRF Cookie Missing/Invalid
        OnyxApp-->>Browser: 400 Bad Request
        Browser->>User: Authentication failed
    end

Loading

[jmelahman]

@greptile @cubic-dev-ai please re-review

[cubic-dev-ai]

@greptile @cubic-dev-ai please re-review

@jmelahman I have started the AI code review. It will take a few minutes to complete.

[cubic-dev-ai]

No issues found across 3 files

[greptile-apps]

_{1 file reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}