Merge pull request #394 from TeskaLabs/fix/update-encrypted-session-f…

…ield Encrypt cookie value in session update
TeskaLabs · Jun 13, 2024 · 3c616cc · 3c616cc
2 parents a5fb552 + 93c82d5
commit 3c616cc
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -19,6 +19,7 @@
 - Default password criteria are more restrictive (#372, `v24.20-alpha1`, Compatible with Seacat Auth Webui v24.19-alpha and later, Seacat Account Webui v24.08-beta and later)
 
 ### Fix
+- Properly encrypt cookie value in session update (#394, `v24.20-alpha11`)
 - Properly parse URL query before adding new parameters (#393, `v24.20-alpha11`)
 - Delete client cookie on introspection failure (#385, `v24.20-alpha6`)
 - Extend session expiration at cookie entrypoint (#383, `v24.20-alpha5`)

diff --git a/seacatauth/session/service.py b/seacatauth/session/service.py
@@ -252,10 +252,18 @@ async def update_session(self, session_id: str, session_builders: list):
 
 		for session_builder in session_builders:
 			for key, value in session_builder:
-				upsertor.set(key, value, encrypt=(key in SessionAdapter.EncryptedAttributes))
+				if key in SessionAdapter.EncryptedIdentifierFields and value is not None:
+					value = SessionAdapter.EncryptedPrefix + self.aes_encrypt(value)
+					upsertor.set(key, value)
+				else:
+					upsertor.set(key, value, encrypt=(key in SessionAdapter.EncryptedAttributes))
 
 		await upsertor.execute(event_type=EventTypes.SESSION_UPDATED)
 
+		L.log(asab.LOG_NOTICE, "Session updated.", struct_data={
+			"sid": session_id,
+			"type": session_dict.get(SessionAdapter.FN.Session.Type),
+		})
 		return await self.get(session_id)