Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feat/cors policy #74

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Feat/cors policy #74

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
9fa7279
Test remove cors
rtaieb May 25, 2022
101f5c2
Test add cors origin
rtaieb May 25, 2022
9e5147e
Test restrict cookie
rtaieb May 25, 2022
6734c77
Added CSRF token management
rtaieb May 30, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 9 additions & 13 deletions app/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,23 +1,21 @@
from flask import Flask, jsonify
import logging

from apispec import APISpec
from apispec.ext.marshmallow import MarshmallowPlugin
from elasticapm.contrib.flask import ElasticAPM
from flask import Flask
from flask_apispec import FlaskApiSpec
from flask_migrate import Migrate
from flask_cors import CORS
from flask_migrate import Migrate
from werkzeug.exceptions import HTTPException
import sentry_sdk
from sentry_sdk.integrations.flask import FlaskIntegration
from apispec import APISpec
from apispec.ext.marshmallow import MarshmallowPlugin

import config
from config import MOBILIC_ENV
from app.helpers.db import SQLAlchemyWithStrongRefSession
from app.helpers.errors import MobilicError
from app.helpers.siren import SirenAPIClient
from app.helpers.request_parser import CustomRequestParser
from app.helpers.siren import SirenAPIClient
from app.templates.filters import JINJA_CUSTOM_FILTERS
from elasticapm.contrib.flask import ElasticAPM
import logging

from config import MOBILIC_ENV

app = Flask(__name__)
app.config.update(
Expand Down Expand Up @@ -59,8 +57,6 @@

Migrate(app, db)

CORS(app)

from app.helpers.graphql import CustomGraphQLView
from app.controllers import graphql_schema, private_graphql_schema
from app.helpers import logging
Expand Down
22 changes: 22 additions & 0 deletions app/helpers/authentication.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@
get_raw_jwt,
get_jwt_identity,
JWTManager,
get_csrf_token,
)
from datetime import date, datetime
import graphene
Expand Down Expand Up @@ -189,12 +190,31 @@ def set_auth_cookies(
path=app.config["JWT_REFRESH_COOKIE_PATH"],
samesite="Strict",
)
response.set_cookie(
app.config["JWT_ACCESS_CSRF_COOKIE_NAME"],
value=get_csrf_token(access_token),
expires=datetime.utcnow() + app.config["SESSION_COOKIE_LIFETIME"],
secure=app.config["JWT_COOKIE_SECURE"],
httponly=False,
path=app.config["JWT_ACCESS_CSRF_COOKIE_PATH"],
samesite="Strict",
)
response.set_cookie(
app.config["JWT_REFRESH_CSRF_COOKIE_NAME"],
value=get_csrf_token(refresh_token),
expires=datetime.utcnow() + app.config["SESSION_COOKIE_LIFETIME"],
secure=app.config["JWT_COOKIE_SECURE"],
httponly=False,
path=app.config["JWT_REFRESH_CSRF_COOKIE_PATH"],
samesite="Strict",
)
response.set_cookie(
"userId",
value=str(user_id),
expires=datetime.utcnow() + app.config["SESSION_COOKIE_LIFETIME"],
secure=app.config["JWT_COOKIE_SECURE"],
httponly=False,
samesite="Strict",
)
response.set_cookie(
"atEat",
Expand All @@ -208,6 +228,7 @@ def set_auth_cookies(
expires=datetime.utcnow() + app.config["SESSION_COOKIE_LIFETIME"],
secure=app.config["JWT_COOKIE_SECURE"],
httponly=False,
samesite="Strict",
)
if fc_token:
response.set_cookie(
Expand All @@ -225,6 +246,7 @@ def set_auth_cookies(
expires=datetime.utcnow() + app.config["SESSION_COOKIE_LIFETIME"],
secure=app.config["JWT_COOKIE_SECURE"],
httponly=False,
samesite="Strict",
)


Expand Down
2 changes: 1 addition & 1 deletion config.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ class Config:
"MATTERMOST_SECONDARY_LOG_CHANNEL", "#mobilic-secondary-alerts"
)
JWT_TOKEN_LOCATION = ["headers", "cookies"]
JWT_COOKIE_CSRF_PROTECT = False
JWT_COOKIE_CSRF_PROTECT = True
JWT_ACCESS_COOKIE_NAME = "at"
JWT_ACCESS_COOKIE_PATH = "/api"
JWT_REFRESH_COOKIE_NAME = "rt"
Expand Down