feat: handle same_site cookies configuration in pyramid.ini

related: #278

feat: handle same_site cookies configuration in pyramid.ini
related: #278
84c43f55 · Frank Bessou · e607a0f76d2b · 2ab11cff · 2ab11cff · 2ab11cff
Commit 84c43f55 authored Mar 23, 2021 by Frank Bessou 🍁
--- a/cubicweb/pyramid/auth.py
+++ b/cubicweb/pyramid/auth.py
@@ -150,7 +150,7 @@ class CWAuthTktAuthenticationPolicy(AuthTktAuthenticationPolicy):
        unset = object()
        kw = {}
        # load string settings
-        for name in ('cookie_name', 'path', 'domain', 'hashalg'):
+        for name in ('cookie_name', 'path', 'domain', 'hashalg', "samesite"):
            value = settings.get(prefix + name, defaults.get(name, unset))
            if value is not unset:
                kw[name] = value

--- a/cubicweb/pyramid/test/test_login.py
+++ b/cubicweb/pyramid/test/test_login.py
@@ -74,6 +74,27 @@ class LoginTest(PyramidCWTest):
            rmtree(join(self.config.apphome, 'i18n'))
        self.assertIn(u"\xc9chec de l'authentification", res.text)

+    def test_same_site_lax_by_default(self):
+        res = self.webapp.post('/login', {
+            '__login': self.admlogin, '__password': self.admpassword})
+        for cookie in res.headers.getall("Set-Cookie"):
+            self.assertIn("SameSite=Lax", cookie)
+        self.assertTrue(len(res.headers.getall("Set-Cookie")) > 0)
+
+
+class CookieParametersTC(PyramidCWTest):
+    settings = {
+        'cubicweb.bwcompat': True,
+        'cubicweb.auth.authtkt.session.samesite': "None",
+    }
+
+    def test_same_site_set_from_config(self):
+        res = self.webapp.post('/login', {
+            '__login': self.admlogin, '__password': self.admpassword})
+        for cookie in res.headers.getall("Set-Cookie"):
+            self.assertIn("SameSite=None", cookie)
+        self.assertTrue(len(res.headers.getall("Set-Cookie")) > 0)
+

 if __name__ == '__main__':
    from unittest import main

--- a/doc/book/pyramid/settings.rst
+++ b/doc/book/pyramid/settings.rst
@@ -119,6 +119,11 @@ The Pyramid CubicWeb specific configuration entries are:
        ('auth_tkt') The cookie name. Must be different from the persistent
        authentication cookie name.

+    .. confval:: cubicweb.auth.authtkt.session.samesite (str)
+
+        ('auth_tkt') Allows you to declare if your cookie should be restricted
+        to a first-party or same-site context. See here_ for more information.
+
    .. confval:: cubicweb.auth.authtkt.session.timeout (int)

        (1200) Cookie timeout.
@@ -135,6 +140,13 @@ The Pyramid CubicWeb specific configuration entries are:
        ('auth_tkt') The cookie name. Must be different from the session
        authentication cookie name.

+    .. confval:: cubicweb.auth.authtkt.persistent.samesite (str)
+
+        ('auth_tkt') Allows you to declare if your cookie should be restricted
+        to a first-party or same-site context. See here_ for more information.
+
+    .. _here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
+
    .. confval:: cubicweb.auth.authtkt.persistent.max_age (int)

        (30 days) Max age in seconds.