Share session data across mounted routes

starlette/middleware/sessions.py

@@ -49,7 +49,7 @@ async def __call__(self, scope: Scope, receive: Receive, send: Send) -> None:
 
         async def send_wrapper(message: Message) -> None:
             if message["type"] == "http.response.start":
-                path = scope.get("root_path", "") or "/"
+                path = scope.get("session_cookie_path", "") or "/"
                 if scope["session"]:
                     # We have session data to persist.
                     data = b64encode(json.dumps(scope["session"]).encode("utf-8"))

starlette/routing.py

@@ -345,6 +345,7 @@ def __init__(
             self.app: ASGIApp = app
         else:
             self.app = Router(routes=routes)
+        self._should_share_cookies = routes is not None
         self.name = name
         self.path_regex, self.path_format, self.param_convertors = compile_path(
             self.path + "/{path:path}"
@@ -371,6 +372,18 @@ def matches(self, scope: Scope) -> typing.Tuple[Match, Scope]:
                     "path_params": path_params,
                     "app_root_path": scope.get("app_root_path", root_path),
                     "root_path": root_path + matched_path,
+                    "session_cookie_path": (
+                        # NOTE: if mounting a list of routes, rather than a fully
+                        # separate ASGI app, session data modified by these routes
+                        # should apply to the parent path.
+                        # This allows e.g. mounting auth routes and have their
+                        # session modifications be available to the parent app,
+                        # for use in e.g. permission checks in neighboring routes.
+                        # See: https://github.com/encode/starlette/issues/1261
+                        root_path
+                        if self._should_share_cookies
+                        else root_path + matched_path
+                    ),
                     "path": remaining_path,
                     "endpoint": self.app,
                 }

tests/middleware/test_session.py

@@ -1,8 +1,10 @@
 import re
 
 from starlette.applications import Starlette
+from starlette.middleware import Middleware
 from starlette.middleware.sessions import SessionMiddleware
 from starlette.responses import JSONResponse
+from starlette.routing import Mount, Route
 
 
 def view_session(request):
@@ -104,7 +106,7 @@ def test_secure_session(test_client_factory):
     assert response.json() == {"session": {}}
 
 
-def test_session_cookie_subpath(test_client_factory):
+def test_session_mounted_app(test_client_factory):
     app = create_app()
     second_app = create_app()
     second_app.add_middleware(SessionMiddleware, secret_key="example")
@@ -118,6 +120,23 @@ def test_session_cookie_subpath(test_client_factory):
     assert cookie_path == "/second_app"
 
 
+def test_session_mounted_routes(test_client_factory):
+    auth_routes = [
+        Route("/login", update_session, methods=["POST"]),
+    ]
+
+    app = Starlette(
+        routes=[Mount("/auth", routes=auth_routes)],
+        middleware=[Middleware(SessionMiddleware, secret_key="example")],
+    )
+
+    client = test_client_factory(app, base_url="http://testserver")
+    response = client.post("/auth/login", json={"some": "data"})
+    cookie = response.headers["set-cookie"]
+    cookie_path = re.search(r"; path=(\S+);", cookie).groups()[0]
+    assert cookie_path == "/"
+
+
 def test_invalid_session_cookie(test_client_factory):
     app = create_app()
     app.add_middleware(SessionMiddleware, secret_key="example")