From d958878218af04950817c9936eb236063cd55d2a Mon Sep 17 00:00:00 2001 From: Daven Quinn Date: Wed, 16 Oct 2024 04:09:43 -0500 Subject: [PATCH] Set cookies for localhost as well as origin --- api/routes/security.py | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/api/routes/security.py b/api/routes/security.py index 52207c6..06877cc 100644 --- a/api/routes/security.py +++ b/api/routes/security.py @@ -230,14 +230,20 @@ async def redirect_authorization(return_url: str = None): async def redirect_callback(code: str, state: Optional[str] = None): """Exchange the code for a token and redirect to the state URL""" + uri = os.environ['REDIRECT_URI'] data = { 'grant_type': 'authorization_code', 'client_id': os.environ['OAUTH_CLIENT_ID'], 'client_secret': os.environ['OAUTH_CLIENT_SECRET'], 'code': code, - 'redirect_uri': os.environ['REDIRECT_URI'] + 'redirect_uri': uri } + # Get the domain for the redirect URL + parsed_url = urllib.parse.urlparse(uri) + domain = parsed_url.netloc + + async with aiohttp.ClientSession() as session: async with session.post(os.environ['OAUTH_TOKEN_URL'], data=data) as token_response: @@ -284,7 +290,16 @@ async def redirect_callback(code: str, state: Optional[str] = None): ) response = RedirectResponse(state if state else "/") - response.set_cookie(key="Authorization", value=f"Bearer {access_token}", httponly=True, samesite="lax") + redirect_domain = urllib.parse.urlparse(state).netloc + + # Set a cookie for the API domain + response.set_cookie(key="Authorization", value=f"Bearer {access_token}", httponly=True, samesite="lax", + domain=domain) + # Set the same cookie for localhost if we're doing a redirect to another domain (this is likely a dev mode request) + # We may want to restrict this to development environments in the future... + if redirect_domain not in [domain, ""]: + response.set_cookie(key="Authorization", value=f"Bearer {access_token}", httponly=True, samesite="lax", + domain="localhost") return response