diff --git a/app/__init__.py b/app/__init__.py index a1fdec0f..f48b6b93 100644 --- a/app/__init__.py +++ b/app/__init__.py @@ -1,23 +1,21 @@ -from flask import Flask, jsonify +import logging + +from apispec import APISpec +from apispec.ext.marshmallow import MarshmallowPlugin +from elasticapm.contrib.flask import ElasticAPM +from flask import Flask from flask_apispec import FlaskApiSpec -from flask_migrate import Migrate from flask_cors import CORS +from flask_migrate import Migrate from werkzeug.exceptions import HTTPException -import sentry_sdk -from sentry_sdk.integrations.flask import FlaskIntegration -from apispec import APISpec -from apispec.ext.marshmallow import MarshmallowPlugin import config -from config import MOBILIC_ENV from app.helpers.db import SQLAlchemyWithStrongRefSession from app.helpers.errors import MobilicError -from app.helpers.siren import SirenAPIClient from app.helpers.request_parser import CustomRequestParser +from app.helpers.siren import SirenAPIClient from app.templates.filters import JINJA_CUSTOM_FILTERS -from elasticapm.contrib.flask import ElasticAPM -import logging - +from config import MOBILIC_ENV app = Flask(__name__) app.config.update( @@ -59,8 +57,6 @@ Migrate(app, db) -CORS(app) - from app.helpers.graphql import CustomGraphQLView from app.controllers import graphql_schema, private_graphql_schema from app.helpers import logging diff --git a/app/helpers/authentication.py b/app/helpers/authentication.py index 17be6747..17461ab1 100644 --- a/app/helpers/authentication.py +++ b/app/helpers/authentication.py @@ -10,6 +10,7 @@ get_raw_jwt, get_jwt_identity, JWTManager, + get_csrf_token, ) from datetime import date, datetime import graphene @@ -189,12 +190,31 @@ def set_auth_cookies( path=app.config["JWT_REFRESH_COOKIE_PATH"], samesite="Strict", ) + response.set_cookie( + app.config["JWT_ACCESS_CSRF_COOKIE_NAME"], + value=get_csrf_token(access_token), + expires=datetime.utcnow() + app.config["SESSION_COOKIE_LIFETIME"], + secure=app.config["JWT_COOKIE_SECURE"], + httponly=False, + path=app.config["JWT_ACCESS_CSRF_COOKIE_PATH"], + samesite="Strict", + ) + response.set_cookie( + app.config["JWT_REFRESH_CSRF_COOKIE_NAME"], + value=get_csrf_token(refresh_token), + expires=datetime.utcnow() + app.config["SESSION_COOKIE_LIFETIME"], + secure=app.config["JWT_COOKIE_SECURE"], + httponly=False, + path=app.config["JWT_REFRESH_CSRF_COOKIE_PATH"], + samesite="Strict", + ) response.set_cookie( "userId", value=str(user_id), expires=datetime.utcnow() + app.config["SESSION_COOKIE_LIFETIME"], secure=app.config["JWT_COOKIE_SECURE"], httponly=False, + samesite="Strict", ) response.set_cookie( "atEat", @@ -208,6 +228,7 @@ def set_auth_cookies( expires=datetime.utcnow() + app.config["SESSION_COOKIE_LIFETIME"], secure=app.config["JWT_COOKIE_SECURE"], httponly=False, + samesite="Strict", ) if fc_token: response.set_cookie( @@ -225,6 +246,7 @@ def set_auth_cookies( expires=datetime.utcnow() + app.config["SESSION_COOKIE_LIFETIME"], secure=app.config["JWT_COOKIE_SECURE"], httponly=False, + samesite="Strict", ) diff --git a/config.py b/config.py index dc89c9aa..a0f8875e 100644 --- a/config.py +++ b/config.py @@ -47,7 +47,7 @@ class Config: "MATTERMOST_SECONDARY_LOG_CHANNEL", "#mobilic-secondary-alerts" ) JWT_TOKEN_LOCATION = ["headers", "cookies"] - JWT_COOKIE_CSRF_PROTECT = False + JWT_COOKIE_CSRF_PROTECT = True JWT_ACCESS_COOKIE_NAME = "at" JWT_ACCESS_COOKIE_PATH = "/api" JWT_REFRESH_COOKIE_NAME = "rt"