fix login redirect

auth.py

@@ -62,12 +62,14 @@ def auth_required(func):
 					max_age=30*24*60*60,
 					secure=True,
 					httponly=True)
+					#samesite='strict')
 				resp.set_cookie(
 					'session',
 					sid,
 					max_age=30*24*60*60,
 					secure=True,
 					httponly=True)
+					#samesite='strict')
 			return resp
 		else:
 			raise web.HTTPFound(location=login_url)
@@ -93,7 +95,12 @@ async def register_begin(request):
 	}, exist_cred, user_verification='discouraged')
 
 	resp = web.Response(body=cbor.encode(registration_data))
-	resp.set_cookie('state', json.dumps(state))
+	resp.set_cookie(
+		'state',
+		json.dumps(state),
+		secure=True,
+		httponly=True)
+		#samesite='strict')
 	return resp
 
 
@@ -132,7 +139,13 @@ async def register_complete(request):
 			user_id, nick, auth_data.credential_data)
 
 	resp = web.json_response({'ok': True})
-	resp.set_cookie('state', '', max_age=0)
+	resp.set_cookie(
+		'state',
+		'',
+		max_age=0,
+		secure=True,
+		httponly=True)
+		#samesite='strict')
 	return resp
 
 
@@ -152,7 +165,12 @@ async def authenticate_begin(request):
 
 	auth_data, state = server.authenticate_begin(credentials)
 	resp = web.Response(body=cbor.encode(auth_data))
-	resp.set_cookie('state', json.dumps(state))
+	resp.set_cookie(
+		'state',
+		json.dumps(state),
+		secure=True,
+		httponly=True)
+		#samesite='strict')
 	return resp
 
 
@@ -188,15 +206,28 @@ async def authenticate_complete(request):
 	if not url:
 		url = request.app.router['index'].url_for()
 	resp = web.json_response({'ok': True, 'redirect': str(url)})
-	resp.set_cookie('state', '', max_age=0)
+	resp.set_cookie(
+		'state',
+		'',
+		max_age=0,
+		secure=True,
+		httponly=True)
+		#samesite='strict')
 
-	resp.set_cookie('redirect', '', max_age=0)
+	resp.set_cookie(
+		'redirect',
+		'',
+		max_age=0,
+		secure=True,
+		httponly=True)
+		#samesite='strict')
 	resp.set_cookie(
 		'userid',
 		user_id,
 		max_age=30*24*60*60,
 		secure=True,
 		httponly=True)
+		#samesite='strict')
 	sid = secrets.token_urlsafe(64)
 	ip_address = request.headers['X-Real-IP']
 	async with request.app['pool'].acquire() as conn:
@@ -212,5 +243,6 @@ async def authenticate_complete(request):
 		max_age=30*24*60*60,
 		secure=True,
 		httponly=True)
+		#samesite='strict')
 
 	return resp

buckler.py

@@ -109,14 +109,24 @@ async def login(request):
 	if has_cred['exists'] and user_info['passwordless']:
 		url_prefix = config.url_prefix
 		resp = render_template("login_key.html", request, locals())
-		resp.set_cookie('userid', user_info['id'])
+		resp.set_cookie(
+			'userid',
+			user_info['id'],
+			secure=True,
+			httponly=True)
+			#samesite='strict')
 		return resp
 
 	if argon2.verify(password, user_info['password_hash']):
 		if has_cred['exists']:
 			url_prefix = config.url_prefix
 			resp = render_template("login_key.html", request, locals())
-			resp.set_cookie('userid', user_info['id'])
+			resp.set_cookie(
+				'userid',
+				user_info['id'],
+				secure=True,
+				httponly=True)
+				#samesite='strict')
 			return resp
 
 		url = request.cookies.get('redirect')
@@ -130,6 +140,7 @@ async def login(request):
 			max_age=30*24*60*60,
 			secure=True,
 			httponly=True)
+			#samesite='strict')
 		sid = secrets.token_urlsafe(64)
 		ip_address = request.headers['X-Real-IP']
 		async with request.app['pool'].acquire() as conn:
@@ -144,6 +155,7 @@ async def login(request):
 			max_age=30*24*60*60,
 			secure=True,
 			httponly=True)
+			#samesite='strict')
 		raise resp
 	else:
 		login_failed = True

buckler_aiohttp.py

@@ -30,7 +30,14 @@ async def buckler_session(request, handler):
 		async with session.get(url, params=params) as resp:
 			data = await resp.json()
 			if data.get('error'):
-				raise web.HTTPFound(location=config.buckler['login_url'])
+				resp = web.HTTPFound(config.buckler['login_url'])
+				resp.set_cookie(
+					'redirect',
+					request.url,
+					secure=True,
+					httponly=True)
+					#samesite='strict')
+				raise resp
 			request['session'] = data['session_data']
 			request['meta'] = data['meta']
 
@@ -51,11 +58,13 @@ async def buckler_session(request, handler):
 				max_age=30*24*60*60,
 				secure=True,
 				httponly=True)
+				#samesite='strict')
 			resp.set_cookie(
 				'session',
 				user_sid,
 				max_age=30*24*60*60,
 				secure=True,
 				httponly=True)
+				#samesite='strict')
 
 	return resp

buckler_flask.py

@@ -76,13 +76,15 @@ class BucklerSessionInterface(SessionInterface):
 				session.cookies['userid'],
 				max_age=30*24*60*60,
 				secure=True,
-				httponly=True)
+				httponly=True,
+				samesite='strict')
 			response.set_cookie(
 				'session',
 				session.cookies['session'],
 				max_age=30*24*60*60,
 				secure=True,
-				httponly=True)
+				httponly=True,
+				samesite='strict')
 
 
 class BucklerSession(dict, SessionMixin):
@@ -103,5 +105,10 @@ def require_auth():
 	"""
 	if not hasattr(session, 'meta'):
 		resp = redirect(config.buckler['login_url'])
-		resp.set_cookie('redirect', request.url)
+		resp.set_cookie(
+			'redirect',
+			request.url,
+			secure=True,
+			httponly=True,
+			samesite='strict')
 		return resp

static/buckler-auth.js

@@ -32,7 +32,7 @@ function login() {
 		body: CBOR.encode({
 		})
 	}).then(function(response) {
-		if(!response.ok) { throw new Error('Error getting registration data!'); }
+		if(!response.ok) { throw new Error('Error getting authentication data!'); }
 		return response.arrayBuffer();
 	}).then(CBOR.decode).then(function(options) {
 		return navigator.credentials.get(options);
@@ -52,8 +52,7 @@ function login() {
 	}).then(function(response) {
 		return response.json();
 	}).then(function(json) {
-		console.log(json);
 		if (!json.ok) { throw new Error('HTTP error, status = ' + json.status + ', message = ' + json.message); }
-		window.location = url_prefix + '/';
+		window.location = json.redirect;
 	});
 }