middleware: check ajax request with sec-fetch-mode header header (#81211)

mellon/middleware.py

@@ -46,6 +46,9 @@ class PassiveAuthenticationMiddleware(MiddlewareMixin):
         # Skip AJAX requests
         if request.headers.get('x-requested-with') == 'XMLHttpRequest':
             return
+        sec_fetch_mode = request.headers.get('sec-fetch-mode')
+        if sec_fetch_mode and sec_fetch_mode != 'navigate':
+            return
         # Skip AJAX and media/script requests, unless mellon_no_passive is False on the view
         if getattr(view_func, 'mellon_no_passive', True) and 'text/html' not in request.headers.get(
             'Accept', ''

tests/test_sso_slo.py

@@ -766,6 +766,24 @@ def test_passive_auth_middleware_no_passive_auth_parameter(db, app, idp, caplog,
     app.get('/?no-passive-auth', headers={'Accept': 'text/html'}, status=200)
 
 
+def test_passive_auth_middleware_ajax_x_requested_with(db, app, idp, caplog, settings):
+    settings.MELLON_OPENED_SESSION_COOKIE_NAME = 'IDP_SESSION'
+    assert 'MELLON_PASSIVE_TRIED' not in app.cookies
+    # webtest-lint is against unicode
+    app.set_cookie('IDP_SESSION', '1234')
+    response = app.get('/', headers={'Accept': 'text/html', 'X-Requested-With': 'XMLHttpRequest'}, status=200)
+    assert 'MELLON_PASSIVE_TRIED' not in app.cookies
+
+
+def test_passive_auth_middleware_ajax_sec_fetch_mode(db, app, idp, caplog, settings):
+    settings.MELLON_OPENED_SESSION_COOKIE_NAME = 'IDP_SESSION'
+    assert 'MELLON_PASSIVE_TRIED' not in app.cookies
+    # webtest-lint is against unicode
+    app.set_cookie('IDP_SESSION', '1234')
+    response = app.get('/', headers={'Accept': 'text/html', 'Sec-Fetch-Mode': 'cors'}, status=200)
+    assert 'MELLON_PASSIVE_TRIED' not in app.cookies
+
+
 def test_sso_user_change(db, app, idp, caplog, sp_settings):
     response = app.get(reverse('mellon_login') + '?next=/whatever/')
     url, body, relay_state = idp.process_authn_request_redirect(response['Location'])