fix: make AURSID a session cookie if "remember me" is not checked

This should match more closely the expectation of a user. A session cookie should vanish on browser close and you thus they need to authenticate again. There is no need to bump the expiration of AURSID either, so we can remove that part. Signed-off-by: moson-mo <mo-son@mailbox.org>
2025-02-03 10:43:03 +01:00 · 2023-05-26 11:21:16 +02:00 · 2023-05-26 11:21:16 +02:00 · 22fe4a988a
commit 22fe4a988a
parent 0807ae6b7c
5 changed files with 32 additions and 69 deletions
--- a/aurweb/cookies.py
+++ b/aurweb/cookies.py
@ -1,6 +1,3 @@
-from fastapi import Request
-from fastapi.responses import Response
-
 from aurweb import config


@ -33,33 +30,3 @@ def timeout(extended: bool) -> int:
    if bool(extended):
        timeout = config.getint("options", "persistent_cookie_timeout")
    return timeout
-
-
-def update_response_cookies(
-    request: Request,
-    response: Response,
-    aursid: str = None,
-) -> Response:
-    """Update session cookies. This method is particularly useful
-    when updating a cookie which was already set.
-
-    The AURSID cookie's expiration is based on the AURREMEMBER cookie,
-    which is retrieved from `request`.
-
-    :param request: FastAPI request
-    :param response: FastAPI response
-    :param aursid: Optional AURSID cookie value
-    :returns: Updated response
-    """
-    secure = config.getboolean("options", "disable_http_login")
-    if aursid:
-        remember_me = request.cookies.get("AURREMEMBER") == "True"
-        response.set_cookie(
-            "AURSID",
-            aursid,
-            secure=secure,
-            httponly=secure,
-            max_age=timeout(remember_me),
-            samesite=samesite(),
-        )
-    return response
--- a/aurweb/routers/auth.py
+++ b/aurweb/routers/auth.py
@ -69,7 +69,12 @@ async def login_post(
    if user.Suspended:
        return await login_template(request, next, errors=["Account Suspended"])

-    cookie_timeout = cookies.timeout(remember_me)
+    # If "remember me" was not ticked, we set a session cookie for AURSID,
+    # otherwise we make it a persistent cookie
+    cookie_timeout = None
+    if remember_me:
+        cookie_timeout = aurweb.config.getint("options", "persistent_cookie_timeout")
+
    perma_timeout = aurweb.config.getint("options", "permanent_cookie_timeout")
    sid = _retry_login(request, user, passwd, cookie_timeout)
    if not sid:
--- a/aurweb/templates.py
+++ b/aurweb/templates.py
@ -10,7 +10,7 @@ from fastapi import Request
 from fastapi.responses import HTMLResponse

 import aurweb.config
-from aurweb import cookies, l10n, time
+from aurweb import l10n, time

 # Prepare jinja2 objects.
 _loader = jinja2.FileSystemLoader(
@ -145,13 +145,4 @@ def render_template(
 ):
    """Render a template as an HTMLResponse."""
    rendered = render_raw_template(request, path, context)
-    response = HTMLResponse(rendered, status_code=int(status_code))
-
-    sid = None
-    if request.user.is_authenticated():
-        sid = request.cookies.get("AURSID")
-
-    # Re-emit SID via update_response_cookies with an updated expiration.
-    # This extends the life of a user session based on the AURREMEMBER
-    # cookie, which is always set to the "Remember Me" state on login.
-    return cookies.update_response_cookies(request, response, aursid=sid)
+    return HTMLResponse(rendered, status_code=int(status_code))