external/aurweb
0
0
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/aurweb.git synced 2025-02-03 10:43:03 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

use secure=True when options.disable_http_login is enabled

Browse source 
We'll piggyback off of the current existing configuration item,
`disable_http_login`, to decide how we should submit cookies to
an HTTP response.

Previously, in `sso.py`, the http schema was used to make this
decision. There is an issue with that, however: We cannot actually
test properly if we depend on the https schema.

This change allows us to toggle `disable_http_login` to modify
the behavior of cookies sent with an http response to be secure.

We test this behavior in test/test_auth_routes.py#L81:
`test_secure_login(mock)`.

Signed-off-by: Kevin Morris <kevr@0cost.org>
This commit is contained in:
Kevin Morris 2021-06-11 23:09:34 -07:00
parent 763b84d0b9
commit ec632a7091
6 changed files with 72 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

3
aurweb/util.py
View file

@ -85,8 +85,9 @@ def valid_ssh_pubkey(pk):
def migrate_cookies(request, response):
secure_cookies = aurweb.config.getboolean("options", "disable_http_login")
for k, v in request.cookies.items():
response.set_cookie(k, v)
response.set_cookie(k, v, secure=secure_cookies, httponly=True)
return response