auth: restrict cookies to the appropriate api

2024-09-03 20:06:10 +02:00 · 2024-02-03 17:29:19 +01:00 · 2024-02-03 17:29:19 +01:00 · 6a3c77eda1
commit 6a3c77eda1
parent 9a7ec301a6
2 changed files with 4 additions and 4 deletions
--- a/src/authenticators/ldap_admin.py
+++ b/src/authenticators/ldap_admin.py
@ -162,7 +162,7 @@ class Authenticator(BaseAuthenticator):
            jwt.encode(infos, SESSION_SECRET(), algorithm="HS256"),
            secure=True,
            httponly=True,
-            path="/",
+            path="/yunohost/api",
            samesite="strict",
        )

@ -190,7 +190,7 @@ class Authenticator(BaseAuthenticator):
        self.purge_expired_session_files()
        session_file = f'{SESSION_FOLDER}/{infos["id"]}'
        if not os.path.exists(session_file):
-            response.delete_cookie("yunohost.admin", path="/")
+            response.delete_cookie("yunohost.admin", path="/yunohost/api")
            raise YunohostAuthenticationError("session_expired")

        # Otherwise, we 'touch' the file to extend the validity
--- a/src/authenticators/ldap_ynhuser.py
+++ b/src/authenticators/ldap_ynhuser.py
@ -196,7 +196,7 @@ class Authenticator(BaseAuthenticator):
            jwt.encode(infos, SESSION_SECRET(), algorithm="HS256"),
            secure=True,
            httponly=True,
-            path="/",
+            path="/yunohost/portalapi",
            # Doesn't this cause issues ? May cause issue if the portal is on different subdomain than the portal API ? Will surely cause issue for development similar to CORS ?
            samesite="strict" if not is_dev else None,
        )
@ -252,7 +252,7 @@ class Authenticator(BaseAuthenticator):
        except Exception as e:
            logger.debug(f"User logged out, but failed to properly invalidate the session : {e}")

-        response.delete_cookie("yunohost.portal", path="/")
+        response.delete_cookie("yunohost.portal", path="/yunohost/portalapi")

    def purge_expired_session_files(self):