fix: Use SameSite=Lax on cookies

2025-02-03 10:43:03 +01:00 · 2022-08-18 18:35:25 +02:00 · 2022-08-18 18:35:25 +02:00 · f10732960c
commit f10732960c
parent fb1fb2ef3b
3 changed files with 50 additions and 14 deletions
--- a/aurweb/cookies.py
+++ b/aurweb/cookies.py
@ -5,15 +5,13 @@ from aurweb import config


 def samesite() -> str:
-    """ Produce cookie SameSite value based on options.disable_http_login.
+    """ Produce cookie SameSite value.

-    When options.disable_http_login is True, "strict" is returned. Otherwise,
-    "lax" is returned.
+    Currently this is hard-coded to return "lax"

-    :returns "strict" if options.disable_http_login else "lax"
+    :returns "lax"
    """
-    secure = config.getboolean("options", "disable_http_login")
-    return "strict" if secure else "lax"
+    return "lax"


 def timeout(extended: bool) -> int:
--- a/doc/web-auth.md
+++ b/doc/web-auth.md
@ -17,7 +17,7 @@ in the following ways:
 - `options.disable_http_login: 0`
    - [Samesite=LAX](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#samesite_attribute), Max-Age
 - `options.disable_http_login: 1`
-    - [Secure, HttpOnly](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies), [Samesite=Strict](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#samesite_attribute), Max-Age
+    - [Samesite=LAX](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#samesite_attribute), [Secure, HttpOnly](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies)

 ### Max-Age

--- a/test/test_auth_routes.py
+++ b/test/test_auth_routes.py
@ -109,14 +109,52 @@ def test_login_email(client: TestClient, user: user):
    assert "AURSID" in resp.cookies


-def mock_getboolean(a, b):
-    if a == "options" and b == "disable_http_login":
-        return True
-    return bool(aurweb.config.get(a, b))
+def mock_getboolean(**overrided_configs):
+    mocked_config = {
+        tuple(config.split("__")): value
+        for config, value in overrided_configs.items()
+    }
+
+    def side_effect(*args):
+        return mocked_config.get(args, bool(aurweb.config.get(*args)))
+
+    return side_effect


-@mock.patch("aurweb.config.getboolean", side_effect=mock_getboolean)
-def test_secure_login(getboolean: bool, client: TestClient, user: User):
+@mock.patch(
+    "aurweb.config.getboolean",
+    side_effect=mock_getboolean(options__disable_http_login=False)
+)
+def test_insecure_login(getboolean: mock.Mock, client: TestClient, user: User):
+    post_data = {
+        "user": user.Username,
+        "passwd": "testPassword",
+        "next": "/"
+    }
+
+    # Perform a login request with the data matching our user.
+    with client as request:
+        response = request.post("/login", data=post_data,
+                                allow_redirects=False)
+
+    # Make sure we got the expected status out of it.
+    assert response.status_code == int(HTTPStatus.SEE_OTHER)
+
+    # Let's check what we got in terms of cookies for AURSID.
+    # Make sure that a secure cookie got passed to us.
+    cookie = next(c for c in response.cookies if c.name == "AURSID")
+    assert cookie.secure is False
+    assert cookie.has_nonstandard_attr("HttpOnly") is False
+    assert cookie.has_nonstandard_attr("SameSite") is True
+    assert cookie.get_nonstandard_attr("SameSite") == "lax"
+    assert cookie.value is not None and len(cookie.value) > 0
+
+
+@mock.patch(
+    "aurweb.config.getboolean",
+    side_effect=mock_getboolean(options__disable_http_login=True)
+)
+def test_secure_login(getboolean: mock.Mock, client: TestClient, user: User):
    """ In this test, we check to verify the course of action taken
    by starlette when providing secure=True to a response cookie.
    This is achieved by mocking aurweb.config.getboolean to return
@ -154,7 +192,7 @@ def test_secure_login(getboolean: bool, client: TestClient, user: User):
    assert cookie.secure is True
    assert cookie.has_nonstandard_attr("HttpOnly") is True
    assert cookie.has_nonstandard_attr("SameSite") is True
-    assert cookie.get_nonstandard_attr("SameSite") == "strict"
+    assert cookie.get_nonstandard_attr("SameSite") == "lax"
    assert cookie.value is not None and len(cookie.value) > 0

    # Let's make sure we actually have a session relationship