make cookies cross-domain compatible

This commit is contained in:
iou1name 2020-11-12 13:15:50 -05:00
parent a3eaad1ab2
commit 60c65c7044
5 changed files with 23 additions and 26 deletions

29
auth.py
View File

@ -59,6 +59,7 @@ def auth_required(func):
resp.set_cookie(
'userid',
user_id,
domain=config.server_domain,
max_age=30*24*60*60,
secure=True,
httponly=True)
@ -66,6 +67,7 @@ def auth_required(func):
resp.set_cookie(
'session',
sid,
domain=config.server_domain,
max_age=30*24*60*60,
secure=True,
httponly=True)
@ -95,6 +97,7 @@ async def register_begin(request):
}, exist_cred, user_verification='discouraged')
resp = web.Response(body=cbor.encode(registration_data))
# no need to set domain on cookie only used for registration
resp.set_cookie(
'state',
json.dumps(state),
@ -139,13 +142,7 @@ async def register_complete(request):
user_id, nick, auth_data.credential_data)
resp = web.json_response({'ok': True})
resp.set_cookie(
'state',
'',
max_age=0,
secure=True,
httponly=True)
#samesite='strict')
resp.set_cookie('state', '', max_age=0)
return resp
@ -206,24 +203,13 @@ async def authenticate_complete(request):
if not url:
url = request.app.router['index'].url_for()
resp = web.json_response({'ok': True, 'redirect': str(url)})
resp.set_cookie(
'state',
'',
max_age=0,
secure=True,
httponly=True)
#samesite='strict')
resp.set_cookie('state', '', max_age=0)
resp.set_cookie(
'redirect',
'',
max_age=0,
secure=True,
httponly=True)
#samesite='strict')
resp.set_cookie('redirect', '', domain=config.server_domain, max_age=0)
resp.set_cookie(
'userid',
user_id,
domain=config.server_domain,
max_age=30*24*60*60,
secure=True,
httponly=True)
@ -240,6 +226,7 @@ async def authenticate_complete(request):
resp.set_cookie(
'session',
sid,
domain=config.server_domain,
max_age=30*24*60*60,
secure=True,
httponly=True)

View File

@ -112,6 +112,7 @@ async def login(request):
resp.set_cookie(
'userid',
user_info['id'],
domain=config.server_domain,
secure=True,
httponly=True)
#samesite='strict')
@ -124,6 +125,7 @@ async def login(request):
resp.set_cookie(
'userid',
user_info['id'],
domain=config.server_domain,
secure=True,
httponly=True)
#samesite='strict')
@ -133,10 +135,11 @@ async def login(request):
if not url:
url = request.app.router['index'].url_for()
resp = web.HTTPFound(location=url)
resp.set_cookie('redirect', '', max_age=0)
resp.set_cookie('redirect', '', domain=config.server_domain, max_age=0)
resp.set_cookie(
'userid',
user_info['id'],
domain=config.server_domain,
max_age=30*24*60*60,
secure=True,
httponly=True)
@ -151,7 +154,9 @@ async def login(request):
sid,
ip_address)
resp.set_cookie(
'session',sid,
'session',
sid,
domain=config.server_domain,
max_age=30*24*60*60,
secure=True,
httponly=True)

View File

@ -24,8 +24,7 @@ async def buckler_session(request, handler):
'app_id': config.buckler['app_id'],
'app_key': config.buckler['app_key'],
'userid': user_id,
'session': user_sid
}
'session': user_sid }
async with aiohttp.ClientSession() as session:
async with session.get(url, params=params) as resp:
data = await resp.json()
@ -34,6 +33,7 @@ async def buckler_session(request, handler):
resp.set_cookie(
'redirect',
request.url,
domain=config.server_domain,
secure=True,
httponly=True)
#samesite='strict')
@ -55,6 +55,7 @@ async def buckler_session(request, handler):
resp.set_cookie(
'userid',
user_id,
domain=config.server_domain,
max_age=30*24*60*60,
secure=True,
httponly=True)
@ -62,6 +63,7 @@ async def buckler_session(request, handler):
resp.set_cookie(
'session',
user_sid,
domain=config.server_domain,
max_age=30*24*60*60,
secure=True,
httponly=True)

View File

@ -74,6 +74,7 @@ class BucklerSessionInterface(SessionInterface):
response.set_cookie(
'userid',
session.cookies['userid'],
domain=config.server_domain,
max_age=30*24*60*60,
secure=True,
httponly=True,
@ -81,6 +82,7 @@ class BucklerSessionInterface(SessionInterface):
response.set_cookie(
'session',
session.cookies['session'],
domain=config.server_domain,
max_age=30*24*60*60,
secure=True,
httponly=True,
@ -108,6 +110,7 @@ def require_auth():
resp.set_cookie(
'redirect',
request.url,
domain=config.server_domain,
secure=True,
httponly=True,
samesite='strict')

View File

@ -7,7 +7,7 @@ eg. https://example.com/buckler
`db` specifies parameters for connecting to the PostgreSQL database.
`email` specifies parameters for connecting to the SMTP server.
"""
server_domain = 'https://steelbea.me'
server_domain = 'steelbea.me'
url_prefix = '/buckler'
db = {