Merge pull request #322 from TeskaLabs/fix/client-cookie-introspection

Fix client cookie introspection

CHANGELOG.md

@@ -3,17 +3,20 @@
 ## v23.44 (release candidate)
 
 ### Pre-releases
+- `v23.44-alpha5`
 - `v23.44-alpha4`
 - `v23.44-alpha3`
 
 ### Breaking changes
 - Dropped support for authorize query params `ldid` and `expiration` (#296, PLUM Sprint 231006)
 
 ### Fix
+- Fix client cookie introspection (#322, INDIGO Sprint 231110, `v23.44-alpha5`)
 - Handle missing webauthn data in login request (#314, INDIGO Sprint 231027, `v23.44-alpha4`)
 - Fix default authorize parameter values when redirecting (#313, PLUM Sprint 231020)
 
 ### Features
+- Lower client ID length limit (#322, INDIGO Sprint 231110, `v23.44-alpha5`)
 - Include client ID and scope in session detail (#318, INDIGO Sprint 231027, `v23.44-alpha4`)
 - Reduce grafana sync frequency (#317, INDIGO Sprint 231027, `v23.44-alpha3`)
 - Authorization for websocket requests (#300, PLUM Sprint 231006)

seacatauth/client/service.py

@@ -50,7 +50,7 @@
 	# The order of the properties is preserved in the UI form
 	"preferred_client_id": {
 		"type": "string",
-		"pattern": "^[-_a-zA-Z0-9]{8,64}$",
+		"pattern": "^[-_a-zA-Z0-9]{4,64}$",
 		"description": "(Non-canonical) Preferred client ID."},
 	"client_name": {  # Can have language tags (e.g. "client_name#cs")
 		"type": "string",

seacatauth/cookie/handler.py

@@ -455,7 +455,7 @@ async def _authenticate_request(self, request, client_id=None):
 		Locate session by request cookie
 		"""
 		try:
-			session = await self.CookieService.get_session_by_request_cookie(request)
+			session = await self.CookieService.get_session_by_request_cookie(request, client_id)
 		except exceptions.NoCookieError:
 			L.log(asab.LOG_NOTICE, "No client cookie found in request", struct_data={"client_id": client_id})
 			return None