Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Samesite auth cookie #5255

Merged
merged 3 commits into from
Mar 18, 2020
Merged

Samesite auth cookie #5255

merged 3 commits into from
Mar 18, 2020

Conversation

amercader
Copy link
Member

Allows setting the SameSite attribute on the auth cookie, and aligning with what browsers are moving towards to, default it to Lax.

Refactored the code to not rely on string manipulation for modifying the cookie attributes but rather the standard library module.

This causes some changes in the case of the attributes and their order which means updating the tests, but I think it's worth the extra work.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#SameSite_cookies

amercader added 3 commits March 4, 2020 14:16
@amercader
Support SameSite attribute on auth cookie
6510479 
Allows setting the SameSite attribute on the auth cookie, and aligning
with what browsers are moving towards to, default it to `Lax`

Refactored the code to not rely on string manipulation for modifying the
cookie attributes but rather the standard library module.

This causes some changes in the case of the attributes and their order
but it's worth the extra work.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#SameSite_cookies
@amercader
Update cookie tests
b5f98c6 
Order attributes before comparing, add tests for SameSite
@amercader
Py3 compatibility fixes on cookie handling code
8472589
ThrawnCA
ThrawnCA approved these changes Mar 17, 2020
View reviewed changes
ckan/lib/repoze_plugins/auth_tkt.py
# Set secure based on config value. Default is False
secure = config.get(u'who.secure', False)
secure = _bool(config.get(u'who.secure', False))
# Set samesite based on config value. Default is lax
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be documented as a potentially breaking change (admittedly it shouldn't break sensible setups).

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changelogs are updated during the release process, so it would be documented there.

ckan/lib/repoze_plugins/auth_tkt.py
@@ -69,9 +92,15 @@ def make_plugin(secret=None,
if timeout is not None and reissue_time is None:
reissue_time = int(math.ceil(int(timeout) * 0.1))
# Set httponly based on config value. Default is True
httponly = config.get(u'who.httponly', True)
httponly = _bool(config.get(u'who.httponly', True))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should probably be deferred until after we check the attributes that might cause an early termination.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Boolean conversions were done in CkanAuthTktCookiePlugin call and those variables weren't used in anywhere else, so it makes sense to convert them right away.

@Zharktas Zharktas merged commit 717463d into master Mar 18, 2020
@Zharktas Zharktas mentioned this pull request Mar 26, 2020
Closed
27 tasks
@Zharktas
Copy link
Member

Note about the change and how to disable it should be added to the release notes.

@amercader
Copy link
Member Author

@Zharktas did you cherry-pick this into the dev-v2.* branches already? If not add the "Backport pending" label otherwise we assume the backport has been done.
This will require some manual work because on 2.6 to 2.8 the auth_tkt.py file is on ckan/lib, not in ckan/lib/repoze_plugins.

@Zharktas
Copy link
Member

Zharktas commented Mar 26, 2020
edited
Loading

@amercader ah right, missed the pending label, added now.

amercader added a commit that referenced this pull request Apr 3, 2020
@amercader
[#5255] [#5255] Samesite in auth cookie
c583515
amercader added a commit that referenced this pull request Apr 3, 2020
@amercader
[#5255] Fix functions
90c8d03
amercader added a commit that referenced this pull request Apr 3, 2020
@amercader
[#5255] Samesite support in auth cookie
f7c9981 
Adapted version of #5255 PR for 2.8
amercader added a commit that referenced this pull request Apr 3, 2020
@amercader
[#5255] Samesite support in auth cookie
0ac7493 
Adapted version of #5255 PR for 2.8
amercader added a commit that referenced this pull request Apr 3, 2020
@amercader
[#5255] Samesite support in auth cookie
4cdf31a 
Adapted version of #5255 PR for 2.8
@amercader amercader mentioned this pull request Apr 13, 2020
Closed
Zharktas added a commit to vrk-kpa/api-catalog that referenced this pull request Apr 30, 2020
@Zharktas
LIKA-103: Remove samesite patch as ckan/ckan#5255 was released
7d07ebe
@amercader amercader deleted the samesite-auth-cookie branch August 19, 2021 13:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Zharktas Zharktas Zharktas approved these changes

@ThrawnCA ThrawnCA ThrawnCA approved these changes

Assignees

@Zharktas Zharktas

Labels
zBackport 2.6.9 zBackport 2.7.7 zBackport 2.8.4
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@amercader @Zharktas @ThrawnCA