0
Fork 0
mirror of https://github.com/penpot/penpot.git synced 2025-01-09 16:30:37 -05:00

Improve auth-data xdomain cookie

This commit is contained in:
Andrey Antukh 2024-05-27 10:43:58 +02:00
parent 9194e257b6
commit abff7d324d
2 changed files with 20 additions and 18 deletions

View file

@ -113,8 +113,7 @@
(s/def ::worker-default-parallelism ::us/integer) (s/def ::worker-default-parallelism ::us/integer)
(s/def ::worker-webhook-parallelism ::us/integer) (s/def ::worker-webhook-parallelism ::us/integer)
(s/def ::authenticated-cookie-domain ::us/string) (s/def ::auth-data-cookie-domain ::us/string)
(s/def ::authenticated-cookie-name ::us/string)
(s/def ::auth-token-cookie-name ::us/string) (s/def ::auth-token-cookie-name ::us/string)
(s/def ::auth-token-cookie-max-age ::dt/duration) (s/def ::auth-token-cookie-max-age ::dt/duration)
@ -222,7 +221,6 @@
::audit-log-http-handler-concurrency ::audit-log-http-handler-concurrency
::auth-token-cookie-name ::auth-token-cookie-name
::auth-token-cookie-max-age ::auth-token-cookie-max-age
::authenticated-cookie-name
::authenticated-cookie-domain ::authenticated-cookie-domain
::database-password ::database-password
::database-uri ::database-uri

View file

@ -10,6 +10,7 @@
[app.common.data :as d] [app.common.data :as d]
[app.common.logging :as l] [app.common.logging :as l]
[app.common.spec :as us] [app.common.spec :as us]
[app.common.uri :as u]
[app.config :as cf] [app.config :as cf]
[app.db :as db] [app.db :as db]
[app.db.sql :as sql] [app.db.sql :as sql]
@ -33,7 +34,7 @@
;; A cookie that we can use to check from other sites of the same ;; A cookie that we can use to check from other sites of the same
;; domain if a user is authenticated. ;; domain if a user is authenticated.
(def default-authenticated-cookie-name "authenticated") (def default-auth-data-cookie-name "auth-data")
;; Default value for cookie max-age ;; Default value for cookie max-age
(def default-cookie-max-age (dt/duration {:days 7})) (def default-cookie-max-age (dt/duration {:days 7}))
@ -133,9 +134,9 @@
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
(declare ^:private assign-auth-token-cookie) (declare ^:private assign-auth-token-cookie)
(declare ^:private assign-authenticated-cookie) (declare ^:private assign-auth-data-cookie)
(declare ^:private clear-auth-token-cookie) (declare ^:private clear-auth-token-cookie)
(declare ^:private clear-authenticated-cookie) (declare ^:private clear-auth-data-cookie)
(declare ^:private gen-token) (declare ^:private gen-token)
(defn create-fn (defn create-fn
@ -153,7 +154,7 @@
(l/trace :hint "create" :profile-id (str profile-id)) (l/trace :hint "create" :profile-id (str profile-id))
(-> response (-> response
(assign-auth-token-cookie session) (assign-auth-token-cookie session)
(assign-authenticated-cookie session))))) (assign-auth-data-cookie session)))))
(defn delete-fn (defn delete-fn
[{:keys [::manager]}] [{:keys [::manager]}]
@ -167,7 +168,7 @@
(assoc :status 204) (assoc :status 204)
(assoc :body nil) (assoc :body nil)
(clear-auth-token-cookie) (clear-auth-token-cookie)
(clear-authenticated-cookie))))) (clear-auth-data-cookie)))))
(defn- gen-token (defn- gen-token
[props {:keys [profile-id created-at]}] [props {:keys [profile-id created-at]}]
@ -229,7 +230,7 @@
(let [session (update! manager session)] (let [session (update! manager session)]
(-> response (-> response
(assign-auth-token-cookie session) (assign-auth-token-cookie session)
(assign-authenticated-cookie session))) (assign-auth-data-cookie session)))
response)))) response))))
(def soft-auth (def soft-auth
@ -262,11 +263,11 @@
:secure secure?}] :secure secure?}]
(update response :cookies assoc name cookie))) (update response :cookies assoc name cookie)))
(defn- assign-authenticated-cookie (defn- assign-auth-data-cookie
[response {updated-at :updated-at}] [response {profile-id :profile-id updated-at :updated-at}]
(let [max-age (cf/get :auth-token-cookie-max-age default-cookie-max-age) (let [max-age (cf/get :auth-token-cookie-max-age default-cookie-max-age)
domain (cf/get :authenticated-cookie-domain) domain (cf/get :auth-data-cookie-domain)
cname (cf/get :authenticated-cookie-name "authenticated") cname default-auth-data-cookie-name
created-at (or updated-at (dt/now)) created-at (or updated-at (dt/now))
renewal (dt/plus created-at default-renewal-max-age) renewal (dt/plus created-at default-renewal-max-age)
@ -274,14 +275,17 @@
comment (str "Renewal at: " (dt/format-instant renewal :rfc1123)) comment (str "Renewal at: " (dt/format-instant renewal :rfc1123))
secure? (contains? cf/flags :secure-session-cookies) secure? (contains? cf/flags :secure-session-cookies)
strict? (contains? cf/flags :strict-session-cookies)
cors? (contains? cf/flags :cors)
cookie {:domain domain cookie {:domain domain
:expires expires :expires expires
:path "/" :path "/"
:comment comment :comment comment
:value true :value (u/map->query-string {:profile-id profile-id})
:same-site :strict :same-site (if cors? :none (if strict? :strict :lax))
:secure secure?}] :secure secure?}]
(cond-> response (cond-> response
(string? domain) (string? domain)
(update :cookies assoc cname cookie)))) (update :cookies assoc cname cookie))))
@ -291,10 +295,10 @@
(let [cname (cf/get :auth-token-cookie-name default-auth-token-cookie-name)] (let [cname (cf/get :auth-token-cookie-name default-auth-token-cookie-name)]
(update response :cookies assoc cname {:path "/" :value "" :max-age 0}))) (update response :cookies assoc cname {:path "/" :value "" :max-age 0})))
(defn- clear-authenticated-cookie (defn- clear-auth-data-cookie
[response] [response]
(let [cname (cf/get :authenticated-cookie-name default-authenticated-cookie-name) (let [cname default-auth-data-cookie-name
domain (cf/get :authenticated-cookie-domain)] domain (cf/get :auth-data-cookie-domain)]
(cond-> response (cond-> response
(string? domain) (string? domain)
(update :cookies assoc cname {:domain domain :path "/" :value "" :max-age 0})))) (update :cookies assoc cname {:domain domain :path "/" :value "" :max-age 0}))))