mirror of
https://github.com/penpot/penpot.git
synced 2025-01-09 16:30:37 -05:00
✨ Improve auth-data xdomain cookie
This commit is contained in:
parent
9194e257b6
commit
abff7d324d
2 changed files with 20 additions and 18 deletions
|
@ -113,8 +113,7 @@
|
||||||
(s/def ::worker-default-parallelism ::us/integer)
|
(s/def ::worker-default-parallelism ::us/integer)
|
||||||
(s/def ::worker-webhook-parallelism ::us/integer)
|
(s/def ::worker-webhook-parallelism ::us/integer)
|
||||||
|
|
||||||
(s/def ::authenticated-cookie-domain ::us/string)
|
(s/def ::auth-data-cookie-domain ::us/string)
|
||||||
(s/def ::authenticated-cookie-name ::us/string)
|
|
||||||
(s/def ::auth-token-cookie-name ::us/string)
|
(s/def ::auth-token-cookie-name ::us/string)
|
||||||
(s/def ::auth-token-cookie-max-age ::dt/duration)
|
(s/def ::auth-token-cookie-max-age ::dt/duration)
|
||||||
|
|
||||||
|
@ -222,7 +221,6 @@
|
||||||
::audit-log-http-handler-concurrency
|
::audit-log-http-handler-concurrency
|
||||||
::auth-token-cookie-name
|
::auth-token-cookie-name
|
||||||
::auth-token-cookie-max-age
|
::auth-token-cookie-max-age
|
||||||
::authenticated-cookie-name
|
|
||||||
::authenticated-cookie-domain
|
::authenticated-cookie-domain
|
||||||
::database-password
|
::database-password
|
||||||
::database-uri
|
::database-uri
|
||||||
|
|
|
@ -10,6 +10,7 @@
|
||||||
[app.common.data :as d]
|
[app.common.data :as d]
|
||||||
[app.common.logging :as l]
|
[app.common.logging :as l]
|
||||||
[app.common.spec :as us]
|
[app.common.spec :as us]
|
||||||
|
[app.common.uri :as u]
|
||||||
[app.config :as cf]
|
[app.config :as cf]
|
||||||
[app.db :as db]
|
[app.db :as db]
|
||||||
[app.db.sql :as sql]
|
[app.db.sql :as sql]
|
||||||
|
@ -33,7 +34,7 @@
|
||||||
|
|
||||||
;; A cookie that we can use to check from other sites of the same
|
;; A cookie that we can use to check from other sites of the same
|
||||||
;; domain if a user is authenticated.
|
;; domain if a user is authenticated.
|
||||||
(def default-authenticated-cookie-name "authenticated")
|
(def default-auth-data-cookie-name "auth-data")
|
||||||
|
|
||||||
;; Default value for cookie max-age
|
;; Default value for cookie max-age
|
||||||
(def default-cookie-max-age (dt/duration {:days 7}))
|
(def default-cookie-max-age (dt/duration {:days 7}))
|
||||||
|
@ -133,9 +134,9 @@
|
||||||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||||||
|
|
||||||
(declare ^:private assign-auth-token-cookie)
|
(declare ^:private assign-auth-token-cookie)
|
||||||
(declare ^:private assign-authenticated-cookie)
|
(declare ^:private assign-auth-data-cookie)
|
||||||
(declare ^:private clear-auth-token-cookie)
|
(declare ^:private clear-auth-token-cookie)
|
||||||
(declare ^:private clear-authenticated-cookie)
|
(declare ^:private clear-auth-data-cookie)
|
||||||
(declare ^:private gen-token)
|
(declare ^:private gen-token)
|
||||||
|
|
||||||
(defn create-fn
|
(defn create-fn
|
||||||
|
@ -153,7 +154,7 @@
|
||||||
(l/trace :hint "create" :profile-id (str profile-id))
|
(l/trace :hint "create" :profile-id (str profile-id))
|
||||||
(-> response
|
(-> response
|
||||||
(assign-auth-token-cookie session)
|
(assign-auth-token-cookie session)
|
||||||
(assign-authenticated-cookie session)))))
|
(assign-auth-data-cookie session)))))
|
||||||
|
|
||||||
(defn delete-fn
|
(defn delete-fn
|
||||||
[{:keys [::manager]}]
|
[{:keys [::manager]}]
|
||||||
|
@ -167,7 +168,7 @@
|
||||||
(assoc :status 204)
|
(assoc :status 204)
|
||||||
(assoc :body nil)
|
(assoc :body nil)
|
||||||
(clear-auth-token-cookie)
|
(clear-auth-token-cookie)
|
||||||
(clear-authenticated-cookie)))))
|
(clear-auth-data-cookie)))))
|
||||||
|
|
||||||
(defn- gen-token
|
(defn- gen-token
|
||||||
[props {:keys [profile-id created-at]}]
|
[props {:keys [profile-id created-at]}]
|
||||||
|
@ -229,7 +230,7 @@
|
||||||
(let [session (update! manager session)]
|
(let [session (update! manager session)]
|
||||||
(-> response
|
(-> response
|
||||||
(assign-auth-token-cookie session)
|
(assign-auth-token-cookie session)
|
||||||
(assign-authenticated-cookie session)))
|
(assign-auth-data-cookie session)))
|
||||||
response))))
|
response))))
|
||||||
|
|
||||||
(def soft-auth
|
(def soft-auth
|
||||||
|
@ -262,11 +263,11 @@
|
||||||
:secure secure?}]
|
:secure secure?}]
|
||||||
(update response :cookies assoc name cookie)))
|
(update response :cookies assoc name cookie)))
|
||||||
|
|
||||||
(defn- assign-authenticated-cookie
|
(defn- assign-auth-data-cookie
|
||||||
[response {updated-at :updated-at}]
|
[response {profile-id :profile-id updated-at :updated-at}]
|
||||||
(let [max-age (cf/get :auth-token-cookie-max-age default-cookie-max-age)
|
(let [max-age (cf/get :auth-token-cookie-max-age default-cookie-max-age)
|
||||||
domain (cf/get :authenticated-cookie-domain)
|
domain (cf/get :auth-data-cookie-domain)
|
||||||
cname (cf/get :authenticated-cookie-name "authenticated")
|
cname default-auth-data-cookie-name
|
||||||
|
|
||||||
created-at (or updated-at (dt/now))
|
created-at (or updated-at (dt/now))
|
||||||
renewal (dt/plus created-at default-renewal-max-age)
|
renewal (dt/plus created-at default-renewal-max-age)
|
||||||
|
@ -274,14 +275,17 @@
|
||||||
|
|
||||||
comment (str "Renewal at: " (dt/format-instant renewal :rfc1123))
|
comment (str "Renewal at: " (dt/format-instant renewal :rfc1123))
|
||||||
secure? (contains? cf/flags :secure-session-cookies)
|
secure? (contains? cf/flags :secure-session-cookies)
|
||||||
|
strict? (contains? cf/flags :strict-session-cookies)
|
||||||
|
cors? (contains? cf/flags :cors)
|
||||||
|
|
||||||
cookie {:domain domain
|
cookie {:domain domain
|
||||||
:expires expires
|
:expires expires
|
||||||
:path "/"
|
:path "/"
|
||||||
:comment comment
|
:comment comment
|
||||||
:value true
|
:value (u/map->query-string {:profile-id profile-id})
|
||||||
:same-site :strict
|
:same-site (if cors? :none (if strict? :strict :lax))
|
||||||
:secure secure?}]
|
:secure secure?}]
|
||||||
|
|
||||||
(cond-> response
|
(cond-> response
|
||||||
(string? domain)
|
(string? domain)
|
||||||
(update :cookies assoc cname cookie))))
|
(update :cookies assoc cname cookie))))
|
||||||
|
@ -291,10 +295,10 @@
|
||||||
(let [cname (cf/get :auth-token-cookie-name default-auth-token-cookie-name)]
|
(let [cname (cf/get :auth-token-cookie-name default-auth-token-cookie-name)]
|
||||||
(update response :cookies assoc cname {:path "/" :value "" :max-age 0})))
|
(update response :cookies assoc cname {:path "/" :value "" :max-age 0})))
|
||||||
|
|
||||||
(defn- clear-authenticated-cookie
|
(defn- clear-auth-data-cookie
|
||||||
[response]
|
[response]
|
||||||
(let [cname (cf/get :authenticated-cookie-name default-authenticated-cookie-name)
|
(let [cname default-auth-data-cookie-name
|
||||||
domain (cf/get :authenticated-cookie-domain)]
|
domain (cf/get :auth-data-cookie-domain)]
|
||||||
(cond-> response
|
(cond-> response
|
||||||
(string? domain)
|
(string? domain)
|
||||||
(update :cookies assoc cname {:domain domain :path "/" :value "" :max-age 0}))))
|
(update :cookies assoc cname {:domain domain :path "/" :value "" :max-age 0}))))
|
||||||
|
|
Loading…
Reference in a new issue