From 7673fccd222f93229f20648ebdcaacf9e8eb82f7 Mon Sep 17 00:00:00 2001 From: iou1name Date: Sat, 15 Aug 2020 01:27:50 -0400 Subject: [PATCH] fix login redirect --- auth.py | 42 +++++++++++++++++++++++++++++++++++++----- buckler.py | 16 ++++++++++++++-- buckler_aiohttp.py | 11 ++++++++++- buckler_flask.py | 13 ++++++++++--- static/buckler-auth.js | 5 ++--- 5 files changed, 73 insertions(+), 14 deletions(-) diff --git a/auth.py b/auth.py index bb39435..776823e 100644 --- a/auth.py +++ b/auth.py @@ -62,12 +62,14 @@ def auth_required(func): max_age=30*24*60*60, secure=True, httponly=True) + #samesite='strict') resp.set_cookie( 'session', sid, max_age=30*24*60*60, secure=True, httponly=True) + #samesite='strict') return resp else: raise web.HTTPFound(location=login_url) @@ -93,7 +95,12 @@ async def register_begin(request): }, exist_cred, user_verification='discouraged') resp = web.Response(body=cbor.encode(registration_data)) - resp.set_cookie('state', json.dumps(state)) + resp.set_cookie( + 'state', + json.dumps(state), + secure=True, + httponly=True) + #samesite='strict') return resp @@ -132,7 +139,13 @@ async def register_complete(request): user_id, nick, auth_data.credential_data) resp = web.json_response({'ok': True}) - resp.set_cookie('state', '', max_age=0) + resp.set_cookie( + 'state', + '', + max_age=0, + secure=True, + httponly=True) + #samesite='strict') return resp @@ -152,7 +165,12 @@ async def authenticate_begin(request): auth_data, state = server.authenticate_begin(credentials) resp = web.Response(body=cbor.encode(auth_data)) - resp.set_cookie('state', json.dumps(state)) + resp.set_cookie( + 'state', + json.dumps(state), + secure=True, + httponly=True) + #samesite='strict') return resp @@ -188,15 +206,28 @@ async def authenticate_complete(request): if not url: url = request.app.router['index'].url_for() resp = web.json_response({'ok': True, 'redirect': str(url)}) - resp.set_cookie('state', '', max_age=0) + resp.set_cookie( + 'state', + '', + max_age=0, + secure=True, + httponly=True) + #samesite='strict') - resp.set_cookie('redirect', '', max_age=0) + resp.set_cookie( + 'redirect', + '', + max_age=0, + secure=True, + httponly=True) + #samesite='strict') resp.set_cookie( 'userid', user_id, max_age=30*24*60*60, secure=True, httponly=True) + #samesite='strict') sid = secrets.token_urlsafe(64) ip_address = request.headers['X-Real-IP'] async with request.app['pool'].acquire() as conn: @@ -212,5 +243,6 @@ async def authenticate_complete(request): max_age=30*24*60*60, secure=True, httponly=True) + #samesite='strict') return resp diff --git a/buckler.py b/buckler.py index c78785e..0a7c72c 100644 --- a/buckler.py +++ b/buckler.py @@ -109,14 +109,24 @@ async def login(request): if has_cred['exists'] and user_info['passwordless']: url_prefix = config.url_prefix resp = render_template("login_key.html", request, locals()) - resp.set_cookie('userid', user_info['id']) + resp.set_cookie( + 'userid', + user_info['id'], + secure=True, + httponly=True) + #samesite='strict') return resp if argon2.verify(password, user_info['password_hash']): if has_cred['exists']: url_prefix = config.url_prefix resp = render_template("login_key.html", request, locals()) - resp.set_cookie('userid', user_info['id']) + resp.set_cookie( + 'userid', + user_info['id'], + secure=True, + httponly=True) + #samesite='strict') return resp url = request.cookies.get('redirect') @@ -130,6 +140,7 @@ async def login(request): max_age=30*24*60*60, secure=True, httponly=True) + #samesite='strict') sid = secrets.token_urlsafe(64) ip_address = request.headers['X-Real-IP'] async with request.app['pool'].acquire() as conn: @@ -144,6 +155,7 @@ async def login(request): max_age=30*24*60*60, secure=True, httponly=True) + #samesite='strict') raise resp else: login_failed = True diff --git a/buckler_aiohttp.py b/buckler_aiohttp.py index bb10047..db321aa 100644 --- a/buckler_aiohttp.py +++ b/buckler_aiohttp.py @@ -30,7 +30,14 @@ async def buckler_session(request, handler): async with session.get(url, params=params) as resp: data = await resp.json() if data.get('error'): - raise web.HTTPFound(location=config.buckler['login_url']) + resp = web.HTTPFound(config.buckler['login_url']) + resp.set_cookie( + 'redirect', + request.url, + secure=True, + httponly=True) + #samesite='strict') + raise resp request['session'] = data['session_data'] request['meta'] = data['meta'] @@ -51,11 +58,13 @@ async def buckler_session(request, handler): max_age=30*24*60*60, secure=True, httponly=True) + #samesite='strict') resp.set_cookie( 'session', user_sid, max_age=30*24*60*60, secure=True, httponly=True) + #samesite='strict') return resp diff --git a/buckler_flask.py b/buckler_flask.py index 0ed5429..2d2ee72 100644 --- a/buckler_flask.py +++ b/buckler_flask.py @@ -76,13 +76,15 @@ class BucklerSessionInterface(SessionInterface): session.cookies['userid'], max_age=30*24*60*60, secure=True, - httponly=True) + httponly=True, + samesite='strict') response.set_cookie( 'session', session.cookies['session'], max_age=30*24*60*60, secure=True, - httponly=True) + httponly=True, + samesite='strict') class BucklerSession(dict, SessionMixin): @@ -103,5 +105,10 @@ def require_auth(): """ if not hasattr(session, 'meta'): resp = redirect(config.buckler['login_url']) - resp.set_cookie('redirect', request.url) + resp.set_cookie( + 'redirect', + request.url, + secure=True, + httponly=True, + samesite='strict') return resp diff --git a/static/buckler-auth.js b/static/buckler-auth.js index 7389524..6573199 100644 --- a/static/buckler-auth.js +++ b/static/buckler-auth.js @@ -32,7 +32,7 @@ function login() { body: CBOR.encode({ }) }).then(function(response) { - if(!response.ok) { throw new Error('Error getting registration data!'); } + if(!response.ok) { throw new Error('Error getting authentication data!'); } return response.arrayBuffer(); }).then(CBOR.decode).then(function(options) { return navigator.credentials.get(options); @@ -52,8 +52,7 @@ function login() { }).then(function(response) { return response.json(); }).then(function(json) { - console.log(json); if (!json.ok) { throw new Error('HTTP error, status = ' + json.status + ', message = ' + json.message); } - window.location = url_prefix + '/'; + window.location = json.redirect; }); }