fix: properly evaluate AURREMEMBER cookie

Whenever the AURREMEMBER cookie was defined, regardless of its value,
"remember_me" is always set to True

The get method of a dict returns a string,
converting a value of str "False" into a bool -> True

We have to check AURREMEMBERs value instead.

Signed-off-by: moson-mo <mo-son@mailbox.org>

aurweb/auth/__init__.py

@@ -104,9 +104,7 @@ class BasicAuthBackend(AuthenticationBackend):
             return unauthenticated
 
         timeout = aurweb.config.getint("options", "login_timeout")
-        remembered = "AURREMEMBER" in conn.cookies and bool(
+        remembered = conn.cookies.get("AURREMEMBER") == "True"
-            conn.cookies.get("AURREMEMBER")
-        )
         if remembered:
             timeout = aurweb.config.getint("options", "persistent_cookie_timeout")
 

aurweb/cookies.py

@@ -65,7 +65,7 @@ def update_response_cookies(
             "AURLANG", aurlang, secure=secure, httponly=secure, samesite=samesite()
         )
     if aursid:
-        remember_me = bool(request.cookies.get("AURREMEMBER", False))
+        remember_me = request.cookies.get("AURREMEMBER") == "True"
         response.set_cookie(
             "AURSID",
             aursid,

aurweb/users/update.py

@@ -131,7 +131,7 @@ def password(
             user.update_password(P)
 
         if user == request.user:
-            remember_me = request.cookies.get("AURREMEMBER", False)
+            remember_me = request.cookies.get("AURREMEMBER") == "True"
 
             # If the target user is the request user, login with
             # the updated password to update the Session record.