external/aurweb
0
0
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/aurweb.git synced 2025-02-03 10:43:03 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

use secure=True when options.disable_http_login is enabled

Browse source 
We'll piggyback off of the current existing configuration item,
`disable_http_login`, to decide how we should submit cookies to
an HTTP response.

Previously, in `sso.py`, the http schema was used to make this
decision. There is an issue with that, however: We cannot actually
test properly if we depend on the https schema.

This change allows us to toggle `disable_http_login` to modify
the behavior of cookies sent with an http response to be secure.

We test this behavior in test/test_auth_routes.py#L81:
`test_secure_login(mock)`.

Signed-off-by: Kevin Morris <kevr@0cost.org>
This commit is contained in:
Kevin Morris 2021-06-11 23:09:34 -07:00
parent 763b84d0b9
commit ec632a7091
6 changed files with 72 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

9
aurweb/templates.py
View file

@ -88,7 +88,10 @@ def render_template(request: Request,
template = templates.get_template(path)
rendered = template.render(context)
response = HTMLResponse(rendered, status_code=int(status_code))
response.set_cookie("AURLANG", context.get("language"))
response.set_cookie("AURTZ", context.get("timezone"))
response = HTMLResponse(rendered, status_code=status_code)
secure_cookies = aurweb.config.getboolean("options", "disable_http_login")
response.set_cookie("AURLANG", context.get("language"),
secure=secure_cookies, httponly=True)
response.set_cookie("AURTZ", context.get("timezone"),
secure=secure_cookies, httponly=True)
return response