make cookies cross-domain compatible

2020-11-12 13:15:50 -05:00 · 2020-11-12 13:15:50 -05:00 · 60c65c7044
commit 60c65c7044
parent a3eaad1ab2
5 changed files with 23 additions and 26 deletions
--- a/auth.py
+++ b/auth.py
@ -59,6 +59,7 @@ def auth_required(func):
 				resp.set_cookie(
 					'userid',
 					user_id,
 					domain=config.server_domain,
 					max_age=30*24*60*60,
 					secure=True,
 					httponly=True)
@ -66,6 +67,7 @@ def auth_required(func):
 				resp.set_cookie(
 					'session',
 					sid,
 					domain=config.server_domain,
 					max_age=30*24*60*60,
 					secure=True,
 					httponly=True)
@ -95,6 +97,7 @@ async def register_begin(request):
 	}, exist_cred, user_verification='discouraged')
 	resp = web.Response(body=cbor.encode(registration_data))
 	# no need to set domain on cookie only used for registration
 	resp.set_cookie(
 		'state',
 		json.dumps(state),
@ -139,13 +142,7 @@ async def register_complete(request):
 			user_id, nick, auth_data.credential_data)
 	resp = web.json_response({'ok': True})
-	resp.set_cookie(
+	resp.set_cookie('state', '', max_age=0)
 		'state',
 		'',
 		max_age=0,
 		secure=True,
 		httponly=True)
 		#samesite='strict')
 	return resp
@ -206,24 +203,13 @@ async def authenticate_complete(request):
 	if not url:
 		url = request.app.router['index'].url_for()
 	resp = web.json_response({'ok': True, 'redirect': str(url)})
-	resp.set_cookie(
+	resp.set_cookie('state', '', max_age=0)
 		'state',
 		'',
 		max_age=0,
 		secure=True,
 		httponly=True)
 		#samesite='strict')
-	resp.set_cookie(
+	resp.set_cookie('redirect', '', domain=config.server_domain, max_age=0)
 		'redirect',
 		'',
 		max_age=0,
 		secure=True,
 		httponly=True)
 		#samesite='strict')
 	resp.set_cookie(
 		'userid',
 		user_id,
 		domain=config.server_domain,
 		max_age=30*24*60*60,
 		secure=True,
 		httponly=True)
@ -240,6 +226,7 @@ async def authenticate_complete(request):
 	resp.set_cookie(
 		'session',
 		sid,
 		domain=config.server_domain,
 		max_age=30*24*60*60,
 		secure=True,
 		httponly=True)
--- a/buckler.py
+++ b/buckler.py
@ -112,6 +112,7 @@ async def login(request):
 		resp.set_cookie(
 			'userid',
 			user_info['id'],
 			domain=config.server_domain,
 			secure=True,
 			httponly=True)
 			#samesite='strict')
@ -124,6 +125,7 @@ async def login(request):
 			resp.set_cookie(
 				'userid',
 				user_info['id'],
 				domain=config.server_domain,
 				secure=True,
 				httponly=True)
 				#samesite='strict')
@ -133,10 +135,11 @@ async def login(request):
 		if not url:
 			url = request.app.router['index'].url_for()
 		resp = web.HTTPFound(location=url)
-		resp.set_cookie('redirect', '', max_age=0)
+		resp.set_cookie('redirect', '', domain=config.server_domain, max_age=0)
 		resp.set_cookie(
 			'userid',
 			user_info['id'],
 			domain=config.server_domain,
 			max_age=30*24*60*60,
 			secure=True,
 			httponly=True)
@ -151,7 +154,9 @@ async def login(request):
 				sid,
 				ip_address)
 		resp.set_cookie(
-			'session',sid,
+			'session',
 			sid,
 			domain=config.server_domain,
 			max_age=30*24*60*60,
 			secure=True,
 			httponly=True)
--- a/buckler_aiohttp.py
+++ b/buckler_aiohttp.py
@ -24,8 +24,7 @@ async def buckler_session(request, handler):
 		'app_id': config.buckler['app_id'],
 		'app_key': config.buckler['app_key'],
 		'userid': user_id,
-		'session': user_sid
+		'session': user_sid }
 	}
 	async with aiohttp.ClientSession() as session:
 		async with session.get(url, params=params) as resp:
 			data = await resp.json()
@ -34,6 +33,7 @@ async def buckler_session(request, handler):
 				resp.set_cookie(
 					'redirect',
 					request.url,
 					domain=config.server_domain,
 					secure=True,
 					httponly=True)
 					#samesite='strict')
@ -55,6 +55,7 @@ async def buckler_session(request, handler):
 			resp.set_cookie(
 				'userid',
 				user_id,
 				domain=config.server_domain,
 				max_age=30*24*60*60,
 				secure=True,
 				httponly=True)
@ -62,6 +63,7 @@ async def buckler_session(request, handler):
 			resp.set_cookie(
 				'session',
 				user_sid,
 				domain=config.server_domain,
 				max_age=30*24*60*60,
 				secure=True,
 				httponly=True)
--- a/buckler_flask.py
+++ b/buckler_flask.py
@ -74,6 +74,7 @@ class BucklerSessionInterface(SessionInterface):
 			response.set_cookie(
 				'userid',
 				session.cookies['userid'],
 				domain=config.server_domain,
 				max_age=30*24*60*60,
 				secure=True,
 				httponly=True,
@ -81,6 +82,7 @@ class BucklerSessionInterface(SessionInterface):
 			response.set_cookie(
 				'session',
 				session.cookies['session'],
 				domain=config.server_domain,
 				max_age=30*24*60*60,
 				secure=True,
 				httponly=True,
@ -108,6 +110,7 @@ def require_auth():
 		resp.set_cookie(
 			'redirect',
 			request.url,
 			domain=config.server_domain,
 			secure=True,
 			httponly=True,
 			samesite='strict')
--- a/config.py.template
+++ b/config.py.template
@ -7,7 +7,7 @@ eg. https://example.com/buckler
 `db` specifies parameters for connecting to the PostgreSQL database.
 `email` specifies parameters for connecting to the SMTP server.
 """
-server_domain = 'https://steelbea.me'
+server_domain = 'steelbea.me'
 url_prefix = '/buckler'
 db = {