entrouvert
/
django-mellon
16
0
Fork 0
Code Issues Pull Requests Releases Activity

middleware: use sec-fetch-dest=document to identify page requests (#84104)
gitea/django-mellon/pipeline/head This commit looks good Details

This commit is contained in:
Benjamin Dauvergne 2023-11-30 14:07:37 +01:00
parent 410cb6cc92
commit 200e009b1e
2 changed files with 20 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
mellon/middleware.py
View File

@ -47,7 +47,10 @@ class PassiveAuthenticationMiddleware(MiddlewareMixin):
if request.headers.get('x-requested-with') == 'XMLHttpRequest':
return
sec_fetch_mode = request.headers.get('sec-fetch-mode')
if sec_fetch_mode and sec_fetch_mode != 'navigate':
if sec_fetch_mode and sec_fetch_mode not in ('navigate', 'same-origin'):
return
sec_fetch_dest = request.headers.get('sec-fetch-dest')
if sec_fetch_dest and sec_fetch_dest not in ('document', 'empty'):
return
# Skip AJAX and media/script requests, unless mellon_no_passive is False on the view
if getattr(view_func, 'mellon_no_passive', True) and 'text/html' not in request.headers.get(

18
tests/test_sso_slo.py
View File

@ -775,13 +775,27 @@ def test_passive_auth_middleware_ajax_x_requested_with(db, app, idp, caplog, set
assert 'MELLON_PASSIVE_TRIED' not in app.cookies
def test_passive_auth_middleware_ajax_sec_fetch_mode(db, app, idp, caplog, settings):
def test_passive_auth_middleware_ajax_via_sec_fetch(db, app, idp, caplog, settings):
settings.MELLON_OPENED_SESSION_COOKIE_NAME = 'IDP_SESSION'
assert 'MELLON_PASSIVE_TRIED' not in app.cookies
# webtest-lint is against unicode
app.set_cookie('IDP_SESSION', '1234')
response = app.get('/', headers={'Accept': 'text/html', 'Sec-Fetch-Mode': 'cors'}, status=200)
response = app.get(
'/',
headers={'Accept': 'text/html', 'Sec-Fetch-Dest': 'script', 'Sec-Fetch-Mode': 'same-origin'},
status=200,
)
assert 'MELLON_PASSIVE_TRIED' not in app.cookies
response = app.get(
'/', headers={'Accept': 'text/html', 'Sec-Fetch-Dest': 'empty', 'Sec-Fetch-Mode': 'cors'}, status=200
)
assert 'MELLON_PASSIVE_TRIED' not in app.cookies
response = app.get(
'/',
headers={'Accept': 'text/html', 'Sec-Fetch-Dest': 'empty', 'Sec-Fetch-Mode': 'same-origin'},
status=302,
)
assert 'MELLON_PASSIVE_TRIED' in app.cookies
def test_sso_user_change(db, app, idp, caplog, sp_settings):