fix(fastapi): rework cookies - do not re-emit generically

This change removes cookie re-emission of AURLANG and AURTZ, adds the AURREMEMBER cookie (the state of the "Remember Me" checkbox on login), and re-emits AURSID based on the AURREMEMBER cookie. Previously, re-emission of AURSID was forcefully modifying the expiration of the AURSID cookie. The introduction of AURREMEMBER allows us to deduct the correct cookie expiration timing based on configuration variables. With this addition, we now re-emit the AURSID cookie with an updated expiration based on the "Remember Me" checkbox on login. Signed-off-by: Kevin Morris <kevr@0cost.org>
2025-02-03 10:43:03 +01:00 · 2021-10-28 00:11:23 -07:00 · 2021-10-28 00:11:23 -07:00 · 034288711b
commit 034288711b
parent 7418c33a30
6 changed files with 100 additions and 50 deletions
--- a/aurweb/routers/auth.py
+++ b/aurweb/routers/auth.py
@ -6,7 +6,7 @@ from fastapi.responses import HTMLResponse, RedirectResponse

 import aurweb.config

-from aurweb import util
+from aurweb import cookies
 from aurweb.auth import auth_required
 from aurweb.models import User
 from aurweb.templates import make_variable_context, render_template
@ -42,12 +42,7 @@ async def login_post(request: Request,
        return await login_template(request, next,
                                    errors=["Bad username or password."])

-    cookie_timeout = 0
-
-    if remember_me:
-        cookie_timeout = aurweb.config.getint(
-            "options", "persistent_cookie_timeout")
-
+    cookie_timeout = cookies.timeout(remember_me)
    sid = user.login(request, passwd, cookie_timeout)
    if not sid:
        return await login_template(request, next,
@ -61,14 +56,17 @@ async def login_post(request: Request,
    response = RedirectResponse(url=next,
                                status_code=HTTPStatus.SEE_OTHER)

-    secure_cookies = aurweb.config.getboolean("options", "disable_http_login")
+    secure = aurweb.config.getboolean("options", "disable_http_login")
    response.set_cookie("AURSID", sid, expires=expires_at,
-                        secure=secure_cookies, httponly=True)
+                        secure=secure, httponly=secure,
+                        samesite=cookies.samesite())
    response.set_cookie("AURTZ", user.Timezone,
-                        secure=secure_cookies, httponly=True)
+                        secure=secure, httponly=secure,
+                        samesite=cookies.samesite())
    response.set_cookie("AURLANG", user.LangPreference,
-                        secure=secure_cookies, httponly=True)
-    return util.add_samesite_fields(response, "strict")
+                        secure=secure, httponly=secure,
+                        samesite=cookies.samesite())
+    return response


@router.get("/logout")