feat: (more) secure cookies

2026-02-24 13:49:48 +00:00 · 2026-02-18 23:48:28 +02:00
parent 5266f54257
commit 6fe2eade26
6 changed files with 15 additions and 9 deletions
--- a/src/ahriman/web/apispec/info.py
+++ b/src/ahriman/web/apispec/info.py
@@ -72,7 +72,7 @@ def _security() -> list[dict[str, Any]]:
    return [{
        "token": {
            "type": "apiKey",  # as per specification we are using api key
-            "name": "API_SESSION",
+            "name": "AHRIMAN",
            "in": "cookie",
        }
    }]
--- a/src/ahriman/web/middlewares/auth_handler.py
+++ b/src/ahriman/web/middlewares/auth_handler.py
@@ -149,11 +149,17 @@ def setup_auth(application: Application, configuration: Configuration, validator
        Application: configured web application
    """
    secret_key = _cookie_secret_key(configuration)
-    storage = EncryptedCookieStorage(secret_key, cookie_name="API_SESSION", max_age=validator.max_age)
+    storage = EncryptedCookieStorage(
+        secret_key,
+        cookie_name="AHRIMAN",
+        max_age=validator.max_age,
+        httponly=True,
+        samesite="Strict",
+    )
    setup_session(application, storage)

    authorization_policy = _AuthorizationPolicy(validator)
-    identity_policy = aiohttp_security.SessionIdentityPolicy()
+    identity_policy = aiohttp_security.SessionIdentityPolicy("SESSION")

    aiohttp_security.setup(application, identity_policy, authorization_policy)
    application.middlewares.append(_auth_handler(validator.allow_read_only))
--- a/src/ahriman/web/schemas/auth_schema.py
+++ b/src/ahriman/web/schemas/auth_schema.py
@@ -25,6 +25,6 @@ class AuthSchema(Schema):
    request cookie authorization schema
    """

-    API_SESSION = fields.String(required=True, metadata={
+    AHRIMAN = fields.String(required=True, metadata={
        "description": "API session key as returned from authorization",
    })
--- a/tests/ahriman/web/apispec/test_info.py
+++ b/tests/ahriman/web/apispec/test_info.py
@@ -23,7 +23,7 @@ def test_security() -> None:
    must generate security definitions for swagger
    """
    token = next(iter(_security()))["token"]
-    assert token == {"type": "apiKey", "name": "API_SESSION", "in": "cookie"}
+    assert token == {"type": "apiKey", "name": "AHRIMAN", "in": "cookie"}


 def test_servers(application: Application) -> None:
--- a/tests/ahriman/web/schemas/test_auth_schema.py
+++ b/tests/ahriman/web/schemas/test_auth_schema.py
@@ -6,4 +6,4 @@ def test_schema() -> None:
    must return valid schema
    """
    schema = AuthSchema()
-    assert not schema.validate({"API_SESSION": "key"})
+    assert not schema.validate({"AHRIMAN": "key"})
--- a/tests/ahriman/web/views/api/test_view_api_swagger.py
+++ b/tests/ahriman/web/views/api/test_view_api_swagger.py
@@ -27,7 +27,7 @@ def _client(client: TestClient, mocker: MockerFixture) -> TestClient:
                    "parameters": [
                        {
                            "in": "cookie",
-                            "name": "API_SESSION",
+                            "name": "AHRIMAN",
                            "schema": {
                                "type": "string",
                            },
@@ -39,7 +39,7 @@ def _client(client: TestClient, mocker: MockerFixture) -> TestClient:
                    "parameters": [
                        {
                            "in": "cookie",
-                            "name": "API_SESSION",
+                            "name": "AHRIMAN",
                            "schema": {
                                "type": "string",
                            },
@@ -60,7 +60,7 @@ def _client(client: TestClient, mocker: MockerFixture) -> TestClient:
            {
                "token": {
                    "type": "apiKey",
-                    "name": "API_SESSION",
+                    "name": "AHRIMAN",
                    "in": "cookie",
                },
            },