misc: add setting to set secure flag on opened session cookie (#45938)
This commit is contained in:
parent
a0eeaede8d
commit
5d32b8db52
|
@ -118,6 +118,8 @@ LOGGING = {
|
|||
},
|
||||
}
|
||||
|
||||
A2_OPENED_SESSION_COOKIE_SECURE = True
|
||||
|
||||
# Old settings method
|
||||
def extract_settings_from_environ():
|
||||
import json
|
||||
|
|
|
@ -39,6 +39,8 @@ if 'syslog' in LOGGING['handlers']:
|
|||
# Default login's form username label
|
||||
A2_USERNAME_LABEL = _('Email')
|
||||
|
||||
A2_OPENED_SESSION_COOKIE_SECURE = True
|
||||
|
||||
# Rest Authentication Class for services access
|
||||
REST_FRAMEWORK['DEFAULT_AUTHENTICATION_CLASSES'] += (
|
||||
'authentic2.authentication.Authentic2Authentication',
|
||||
|
|
|
@ -208,6 +208,8 @@ default_settings = dict(
|
|||
definition='Authentic session open'),
|
||||
A2_OPENED_SESSION_COOKIE_DOMAIN=Setting(
|
||||
default=None),
|
||||
A2_OPENED_SESSION_COOKIE_SECURE=Setting(
|
||||
default=False),
|
||||
A2_ATTRIBUTE_KINDS=Setting(
|
||||
default=(),
|
||||
definition='List of other attribute kinds'),
|
||||
|
|
|
@ -62,7 +62,8 @@ class OpenedSessionCookieMiddleware(MiddlewareMixin):
|
|||
else:
|
||||
domain = app_settings.A2_OPENED_SESSION_COOKIE_DOMAIN
|
||||
if hasattr(request, 'user') and request.user.is_authenticated:
|
||||
response.set_cookie(name, value='1', max_age=None, domain=domain)
|
||||
response.set_cookie(name, value='1', max_age=None, domain=domain,
|
||||
secure=app_settings.A2_OPENED_SESSION_COOKIE_SECURE)
|
||||
elif app_settings.A2_OPENED_SESSION_COOKIE_NAME in request.COOKIES:
|
||||
response.delete_cookie(name, domain=domain)
|
||||
return response
|
||||
|
|
|
@ -1295,7 +1295,7 @@ def test_api_get_role_list(app, admin_ou1, role_ou1, role_random):
|
|||
|
||||
|
||||
def test_no_opened_session_cookie_on_api(app, user, settings):
|
||||
settings.A2_OPENED_SESSION_COOKIE_DOMAIN = 'testserver'
|
||||
settings.A2_OPENED_SESSION_COOKIE_DOMAIN = 'testserver.local'
|
||||
app.authorization = ('Basic', (user.username, user.username))
|
||||
resp = app.get('/api/users/')
|
||||
assert 'A2_OPENED_SESSION' not in app.cookies
|
||||
|
|
|
@ -277,3 +277,18 @@ def test_login_error_messages(app, settings, simple_user):
|
|||
assert 'Incorrect Username or password.' in resp
|
||||
assert 'use the forgotten password link below' not in resp
|
||||
assert 'or create an account.' in resp
|
||||
|
||||
|
||||
def test_login_opened_session_cookie(db, app, settings, simple_user):
|
||||
settings.A2_OPENED_SESSION_COOKIE_DOMAIN = 'testserver.local'
|
||||
app.cookiejar.clear()
|
||||
login(app, simple_user)
|
||||
assert 'A2_OPENED_SESSION' in app.cookies
|
||||
|
||||
settings.A2_OPENED_SESSION_COOKIE_SECURE = True
|
||||
app.cookiejar.clear()
|
||||
login(app, simple_user)
|
||||
assert 'A2_OPENED_SESSION' in app.cookies
|
||||
for cookie in app.cookiejar:
|
||||
if cookie.name == 'A2_OPENED_SESSION':
|
||||
assert cookie.secure is True
|
||||
|
|
Loading…
Reference in New Issue