From 3f320a23586c0b4de1789919fbe462d5f4e99650 Mon Sep 17 00:00:00 2001 From: axolotle Date: Thu, 30 Nov 2023 14:04:13 +0100 Subject: [PATCH] portal:auth: samesite=None in dev mode --- src/authenticators/ldap_ynhuser.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/authenticators/ldap_ynhuser.py b/src/authenticators/ldap_ynhuser.py index 63f51c652..0a4ab0b75 100644 --- a/src/authenticators/ldap_ynhuser.py +++ b/src/authenticators/ldap_ynhuser.py @@ -9,6 +9,7 @@ import base64 import os import hashlib import glob +from pathlib import Path from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes from cryptography.hazmat.primitives import padding @@ -127,13 +128,16 @@ class Authenticator(BaseAuthenticator): infos["id"] = short_hash(infos['user']) + random_ascii(20) infos["host"] = request.get_header("host") + is_dev = Path("/etc/yunohost/.portal-api-allowed-cors-origins").exists() + response.set_cookie( "yunohost.portal", jwt.encode(infos, SESSION_SECRET, algorithm="HS256"), secure=True, httponly=True, path="/", - samesite="strict", # Doesn't this cause issues ? May cause issue if the portal is on different subdomain than the portal API ? Will surely cause issue for development similar to CORS ? + # Doesn't this cause issues ? May cause issue if the portal is on different subdomain than the portal API ? Will surely cause issue for development similar to CORS ? + samesite="strict" if not is_dev else None, ) # Create the session file (expiration mechanism)