Skip to content
Permalink
Browse files Browse the repository at this point in the history
Set auth cookies to SameSite=Lax
  • Loading branch information
fruttasecca committed Sep 30, 2022
1 parent bdceb85 commit c2587a9
Showing 1 changed file with 5 additions and 4 deletions.
9 changes: 5 additions & 4 deletions services/auth-server/app/app/views.py
Expand Up @@ -114,8 +114,8 @@ def index() -> Tuple[Literal[""], Literal[200]] | Tuple[Literal[""], Literal[401
@app.route("/login/clear", methods=["GET"])
def logout() -> Response | None:
resp = redirect_response("/")
resp.set_cookie("auth_token", "")
resp.set_cookie("auth_username", "")
resp.set_cookie("auth_token", "", samesite="Lax")
resp.set_cookie("auth_username", samesite="Lax")
return resp

def redirect_response(url: str, redirect_type: str = "server") -> Response:
Expand Down Expand Up @@ -182,8 +182,9 @@ def handle_login(
db.session.commit()

resp = redirect_response(redirect_url, redirect_type)
resp.set_cookie("auth_token", token.token)
resp.set_cookie("auth_username", username)
# samesite="Lax" to avoid CSRF attacks.
resp.set_cookie("auth_token", token.token, samesite="Lax")
resp.set_cookie("auth_username", username, samesite="Lax")

return resp

Expand Down

0 comments on commit c2587a9

Please sign in to comment.