From b9fe036b33bce65a3c8bcc2027a69d343c15d787 Mon Sep 17 00:00:00 2001
From: Karl Czajkowski <karlcz@isi.edu>
Date: Wed, 20 Mar 2024 14:13:13 -0700
Subject: [PATCH] customize deriva_ctx.deriva_response.set_cookie to observe
 webauthn2_config

detect default (None) keyword params and replace with values in
webauthn2_config before passing to real set_cookie method

- web_cookie_path: changes default path string
- web_cookie_secure: changes default secure boolean
- web_cookie_domain: adds new default logic

for the new domain field, three values are enabled:

- None: scope to the HTTP host (default)
- True: scope to the HTTP host w/ subdomain matching
- type str: an explicit domain, prefix with '.' for subdomain matching
---
 webauthn2/rest.py | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/webauthn2/rest.py b/webauthn2/rest.py
index e80ce11..35537ea 100644
--- a/webauthn2/rest.py
+++ b/webauthn2/rest.py
@@ -210,11 +210,30 @@ def request_trace(tracedata):
         webauthn2_context=deriva_ctx.webauthn2_context,
     ))
 
+class _Response (flask.Response):
+    """Like flask.Response but customizing set_cookie behavior for webauthn"""
+
+    def set_cookie(self, key, value='', max_age=None, expires=None, path=None, domain=None, secure=None, httponly=False):
+        """Allow webauthn config to customize default cookie parameters"""
+        if path is None:
+            path = _manager.config.get('web_cookie_path', '/')
+
+        if domain is None:
+            domain = _manager.config.get('web_cookie_domain', None)
+        if domain is True:
+            domain = '.%s' % (flask.request.host,)
+
+        if secure is None:
+            secure = _manager.config.get('web_cookie_secure', None)
+
+        return super(_Response, self).set_cookie(
+            key, value=value, max_age=max_age, expires=expires, path=path, domain=domain, secure=secure, httponly=httponly)
+
 @app.before_request
 def before_request():
     # request context init
     deriva_ctx.webauthn_dispatched_handler = None
-    deriva_ctx.deriva_response = flask.Response() # allow us to accumulate response content by side-effect
+    deriva_ctx.deriva_response = _Response() # allow us to accumulate response content by side-effect
     deriva_ctx.webauthn_request_guid = base64.b64encode( struct.pack('Q', random.getrandbits(64)) ).decode()
     deriva_ctx.webauthn_start_time = datetime.datetime.now(timezone.utc)
     deriva_ctx.webauthn_request_content_range = None