diff --git a/src/ahriman/web/apispec/info.py b/src/ahriman/web/apispec/info.py index 040e0d99..4812d3fa 100644 --- a/src/ahriman/web/apispec/info.py +++ b/src/ahriman/web/apispec/info.py @@ -72,7 +72,7 @@ def _security() -> list[dict[str, Any]]: return [{ "token": { "type": "apiKey", # as per specification we are using api key - "name": "API_SESSION", + "name": "AHRIMAN", "in": "cookie", } }] diff --git a/src/ahriman/web/middlewares/auth_handler.py b/src/ahriman/web/middlewares/auth_handler.py index e189ea4b..44e36f14 100644 --- a/src/ahriman/web/middlewares/auth_handler.py +++ b/src/ahriman/web/middlewares/auth_handler.py @@ -149,11 +149,17 @@ def setup_auth(application: Application, configuration: Configuration, validator Application: configured web application """ secret_key = _cookie_secret_key(configuration) - storage = EncryptedCookieStorage(secret_key, cookie_name="API_SESSION", max_age=validator.max_age) + storage = EncryptedCookieStorage( + secret_key, + cookie_name="AHRIMAN", + max_age=validator.max_age, + httponly=True, + samesite="Strict", + ) setup_session(application, storage) authorization_policy = _AuthorizationPolicy(validator) - identity_policy = aiohttp_security.SessionIdentityPolicy() + identity_policy = aiohttp_security.SessionIdentityPolicy("SESSION") aiohttp_security.setup(application, identity_policy, authorization_policy) application.middlewares.append(_auth_handler(validator.allow_read_only)) diff --git a/src/ahriman/web/schemas/auth_schema.py b/src/ahriman/web/schemas/auth_schema.py index 663022f1..906065eb 100644 --- a/src/ahriman/web/schemas/auth_schema.py +++ b/src/ahriman/web/schemas/auth_schema.py @@ -25,6 +25,6 @@ class AuthSchema(Schema): request cookie authorization schema """ - API_SESSION = fields.String(required=True, metadata={ + AHRIMAN = fields.String(required=True, metadata={ "description": "API session key as returned from authorization", }) diff --git a/tests/ahriman/web/apispec/test_info.py b/tests/ahriman/web/apispec/test_info.py index bfde0549..5372ddaf 100644 --- a/tests/ahriman/web/apispec/test_info.py +++ b/tests/ahriman/web/apispec/test_info.py @@ -23,7 +23,7 @@ def test_security() -> None: must generate security definitions for swagger """ token = next(iter(_security()))["token"] - assert token == {"type": "apiKey", "name": "API_SESSION", "in": "cookie"} + assert token == {"type": "apiKey", "name": "AHRIMAN", "in": "cookie"} def test_servers(application: Application) -> None: diff --git a/tests/ahriman/web/schemas/test_auth_schema.py b/tests/ahriman/web/schemas/test_auth_schema.py index a960157e..7f8e30ec 100644 --- a/tests/ahriman/web/schemas/test_auth_schema.py +++ b/tests/ahriman/web/schemas/test_auth_schema.py @@ -6,4 +6,4 @@ def test_schema() -> None: must return valid schema """ schema = AuthSchema() - assert not schema.validate({"API_SESSION": "key"}) + assert not schema.validate({"AHRIMAN": "key"}) diff --git a/tests/ahriman/web/views/api/test_view_api_swagger.py b/tests/ahriman/web/views/api/test_view_api_swagger.py index b03e8a45..99e1ef1d 100644 --- a/tests/ahriman/web/views/api/test_view_api_swagger.py +++ b/tests/ahriman/web/views/api/test_view_api_swagger.py @@ -27,7 +27,7 @@ def _client(client: TestClient, mocker: MockerFixture) -> TestClient: "parameters": [ { "in": "cookie", - "name": "API_SESSION", + "name": "AHRIMAN", "schema": { "type": "string", }, @@ -39,7 +39,7 @@ def _client(client: TestClient, mocker: MockerFixture) -> TestClient: "parameters": [ { "in": "cookie", - "name": "API_SESSION", + "name": "AHRIMAN", "schema": { "type": "string", }, @@ -60,7 +60,7 @@ def _client(client: TestClient, mocker: MockerFixture) -> TestClient: { "token": { "type": "apiKey", - "name": "API_SESSION", + "name": "AHRIMAN", "in": "cookie", }, },