Commit 84c43f55 authored by Frank Bessou's avatar Frank Bessou 🍁
Browse files

feat: handle same_site cookies configuration in pyramid.ini

related: #278
parent e607a0f76d2b
Pipeline #45136 passed with stage
in 1 minute and 59 seconds
......@@ -150,7 +150,7 @@ class CWAuthTktAuthenticationPolicy(AuthTktAuthenticationPolicy):
unset = object()
kw = {}
# load string settings
for name in ('cookie_name', 'path', 'domain', 'hashalg'):
for name in ('cookie_name', 'path', 'domain', 'hashalg', "samesite"):
value = settings.get(prefix + name, defaults.get(name, unset))
if value is not unset:
kw[name] = value
......
......@@ -74,6 +74,27 @@ class LoginTest(PyramidCWTest):
rmtree(join(self.config.apphome, 'i18n'))
self.assertIn(u"\xc9chec de l'authentification", res.text)
def test_same_site_lax_by_default(self):
res = self.webapp.post('/login', {
'__login': self.admlogin, '__password': self.admpassword})
for cookie in res.headers.getall("Set-Cookie"):
self.assertIn("SameSite=Lax", cookie)
self.assertTrue(len(res.headers.getall("Set-Cookie")) > 0)
class CookieParametersTC(PyramidCWTest):
settings = {
'cubicweb.bwcompat': True,
'cubicweb.auth.authtkt.session.samesite': "None",
}
def test_same_site_set_from_config(self):
res = self.webapp.post('/login', {
'__login': self.admlogin, '__password': self.admpassword})
for cookie in res.headers.getall("Set-Cookie"):
self.assertIn("SameSite=None", cookie)
self.assertTrue(len(res.headers.getall("Set-Cookie")) > 0)
if __name__ == '__main__':
from unittest import main
......
......@@ -119,6 +119,11 @@ The Pyramid CubicWeb specific configuration entries are:
('auth_tkt') The cookie name. Must be different from the persistent
authentication cookie name.
.. confval:: cubicweb.auth.authtkt.session.samesite (str)
('auth_tkt') Allows you to declare if your cookie should be restricted
to a first-party or same-site context. See here_ for more information.
.. confval:: cubicweb.auth.authtkt.session.timeout (int)
(1200) Cookie timeout.
......@@ -135,6 +140,13 @@ The Pyramid CubicWeb specific configuration entries are:
('auth_tkt') The cookie name. Must be different from the session
authentication cookie name.
.. confval:: cubicweb.auth.authtkt.persistent.samesite (str)
('auth_tkt') Allows you to declare if your cookie should be restricted
to a first-party or same-site context. See here_ for more information.
.. _here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
.. confval:: cubicweb.auth.authtkt.persistent.max_age (int)
(30 days) Max age in seconds.
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment