CodeMirror/appwrite
1
0
Fork 0
mirror of synced 2024-06-18 18:54:55 +12:00
Code Issues Projects Releases Wiki Activity

Fixed cookie vars

Browse source
This commit is contained in:
Eldad Fux 2020-07-01 09:35:57 +03:00
parent 56f397c2a3
commit f5af0e701c
3 changed files with 26 additions and 39 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

39
app/app.php
View file

@ -15,33 +15,10 @@ use Appwrite\Database\Document;
use Appwrite\Database\Validator\Authorization;
use Appwrite\Network\Validator\Origin;
Config::setParam('domain', $_SERVER['HTTP_HOST']);
Config::setParam('domain', 'localhost');
Config::setParam('domainVerification', false);
// Config::setParam('domain', $request->getServer('HTTP_HOST', ''));
// Config::setParam('domainVerification', false);
\define('COOKIE_DOMAIN',
(
$_SERVER['HTTP_HOST'] === 'localhost' ||
$_SERVER['HTTP_HOST'] === 'localhost:'.$request->getPort() ||
(\filter_var($request->getHostname(), FILTER_VALIDATE_IP) !== false)
)
? null
: '.'.$request->getHostname()
);
\define('COOKIE_SAMESITE', Response::COOKIE_SAMESITE_NONE);
// \define('COOKIE_DOMAIN',
// (
// $request->getServer('HTTP_HOST', null) === 'localhost' ||
// $request->getServer('HTTP_HOST', null) === 'localhost:'.$request->getPort() ||
// (\filter_var($request->getHostname(), FILTER_VALIDATE_IP) !== false)
// )
// ? null
// : '.'.$request->getHostname()
// );
// \define('COOKIE_SAMESITE', Response::COOKIE_SAMESITE_NONE);
Config::setParam('cookieDomain', 'localhost');
Config::setParam('cookieSamesite', Response::COOKIE_SAMESITE_NONE);
// // Set project mail
// $register->get('smtp')
@ -98,10 +75,20 @@ App::init(function ($utopia, $request, $response, $console, $project, $user, $lo
$selfDomain = new Domain(Config::getParam('hostname'));
$endDomain = new Domain($origin);
Config::setParam('domain', $request->getServer('HTTP_HOST', ''));
Config::setParam('domainVerification',
($selfDomain->getRegisterable() === $endDomain->getRegisterable()) &&
$endDomain->getRegisterable() !== '');
Config::setParam('cookieDomain', (
$request->getServer('HTTP_HOST', null) === 'localhost' ||
$request->getServer('HTTP_HOST', null) === 'localhost:'.$request->getPort() ||
(\filter_var($request->getHostname(), FILTER_VALIDATE_IP) !== false)
)
? null
: '.'.$request->getHostname()
);
/*
* Security Headers
*

22
app/controllers/api/account.php
View file

@ -234,8 +234,8 @@ App::post('/v1/account/sessions')
}
$response
->addCookie(Auth::$cookieName.'_legacy', Auth::encodeSession($profile->getId(), $secret), $expiry, '/', COOKIE_DOMAIN, ('https' == $protocol), true, null)
->addCookie(Auth::$cookieName, Auth::encodeSession($profile->getId(), $secret), $expiry, '/', COOKIE_DOMAIN, ('https' == $protocol), true, COOKIE_SAMESITE)
->addCookie(Auth::$cookieName.'_legacy', Auth::encodeSession($profile->getId(), $secret), $expiry, '/', Config::getParam('cookieDomain'), ('https' == $protocol), true, null)
->addCookie(Auth::$cookieName, Auth::encodeSession($profile->getId(), $secret), $expiry, '/', Config::getParam('cookieDomain'), ('https' == $protocol), true, Config::getParam('cookieSamesite'))
->setStatusCode(Response::STATUS_CODE_CREATED)
->json($session->getArrayCopy(['$id', 'type', 'expire']))
;
@ -526,7 +526,7 @@ App::get('/v1/account/sessions/oauth2/:provider/redirect')
$state['success'] = URLParser::parse($state['success']);
$query = URLParser::parseQuery($state['success']['query']);
$query['project'] = $project->getId();
$query['domain'] = COOKIE_DOMAIN;
$query['domain'] = Config::getParam('cookieDomain');
$query['key'] = Auth::$cookieName;
$query['secret'] = Auth::encodeSession($user->getId(), $secret);
$state['success']['query'] = URLParser::unparseQuery($query);
@ -536,8 +536,8 @@ App::get('/v1/account/sessions/oauth2/:provider/redirect')
$response
->addHeader('Cache-Control', 'no-store, no-cache, must-revalidate, max-age=0')
->addHeader('Pragma', 'no-cache')
->addCookie(Auth::$cookieName.'_legacy', Auth::encodeSession($user->getId(), $secret), $expiry, '/', COOKIE_DOMAIN, ('https' == $protocol), true, null)
->addCookie(Auth::$cookieName, Auth::encodeSession($user->getId(), $secret), $expiry, '/', COOKIE_DOMAIN, ('https' == $protocol), true, COOKIE_SAMESITE)
->addCookie(Auth::$cookieName.'_legacy', Auth::encodeSession($user->getId(), $secret), $expiry, '/', Config::getParam('cookieDomain'), ('https' == $protocol), true, null)
->addCookie(Auth::$cookieName, Auth::encodeSession($user->getId(), $secret), $expiry, '/', Config::getParam('cookieDomain'), ('https' == $protocol), true, Config::getParam('cookieSamesite'))
->redirect($state['success'])
;
}, ['request', 'response', 'project', 'user', 'projectDB', 'audit']);
@ -975,8 +975,8 @@ App::delete('/v1/account')
}
$response
->addCookie(Auth::$cookieName.'_legacy', '', \time() - 3600, '/', COOKIE_DOMAIN, ('https' == $protocol), true, null)
->addCookie(Auth::$cookieName, '', \time() - 3600, '/', COOKIE_DOMAIN, ('https' == $protocol), true, COOKIE_SAMESITE)
->addCookie(Auth::$cookieName.'_legacy', '', \time() - 3600, '/', Config::getParam('cookieDomain'), ('https' == $protocol), true, null)
->addCookie(Auth::$cookieName, '', \time() - 3600, '/', Config::getParam('cookieDomain'), ('https' == $protocol), true, Config::getParam('cookieSamesite'))
->noContent()
;
}, ['request', 'response', 'user', 'projectDB', 'audit', 'webhook']);
@ -1034,8 +1034,8 @@ App::delete('/v1/account/sessions/:sessionId')
if ($token->getAttribute('secret') == Auth::hash(Auth::$secret)) { // If current session delete the cookies too
$response
->addCookie(Auth::$cookieName.'_legacy', '', \time() - 3600, '/', COOKIE_DOMAIN, ('https' == $protocol), true, null)
->addCookie(Auth::$cookieName, '', \time() - 3600, '/', COOKIE_DOMAIN, ('https' == $protocol), true, COOKIE_SAMESITE)
->addCookie(Auth::$cookieName.'_legacy', '', \time() - 3600, '/', Config::getParam('cookieDomain'), ('https' == $protocol), true, null)
->addCookie(Auth::$cookieName, '', \time() - 3600, '/', Config::getParam('cookieDomain'), ('https' == $protocol), true, Config::getParam('cookieSamesite'))
;
}
@ -1093,8 +1093,8 @@ App::delete('/v1/account/sessions')
if ($token->getAttribute('secret') == Auth::hash(Auth::$secret)) { // If current session delete the cookies too
$response
->addCookie(Auth::$cookieName.'_legacy', '', \time() - 3600, '/', COOKIE_DOMAIN, ('https' == $protocol), true, null)
->addCookie(Auth::$cookieName, '', \time() - 3600, '/', COOKIE_DOMAIN, ('https' == $protocol), true, COOKIE_SAMESITE)
->addCookie(Auth::$cookieName.'_legacy', '', \time() - 3600, '/', Config::getParam('cookieDomain'), ('https' == $protocol), true, null)
->addCookie(Auth::$cookieName, '', \time() - 3600, '/', Config::getParam('cookieDomain'), ('https' == $protocol), true, Config::getParam('cookieSamesite'))
;
}
}

4
app/controllers/api/teams.php
View file

@ -570,8 +570,8 @@ App::patch('/v1/teams/:teamId/memberships/:inviteId/status')
}
$response
->addCookie(Auth::$cookieName.'_legacy', Auth::encodeSession($user->getId(), $secret), $expiry, '/', COOKIE_DOMAIN, ('https' == $protocol), true, null)
->addCookie(Auth::$cookieName, Auth::encodeSession($user->getId(), $secret), $expiry, '/', COOKIE_DOMAIN, ('https' == $protocol), true, COOKIE_SAMESITE)
->addCookie(Auth::$cookieName.'_legacy', Auth::encodeSession($user->getId(), $secret), $expiry, '/', Config::getParam('cookieDomain'), ('https' == $protocol), true, null)
->addCookie(Auth::$cookieName, Auth::encodeSession($user->getId(), $secret), $expiry, '/', Config::getParam('cookieDomain'), ('https' == $protocol), true, Config::getParam('cookieSamesite'))
->json(\array_merge($membership->getArrayCopy([
'$id',
'userId',