arcanis/ahriman
1
0
Fork 0
mirror of https://github.com/arcan1s/ahriman.git synced 2026-03-14 05:53:39 +00:00
Code Issues Projects Releases Wiki Activity

feat: (more) secure cookies

Browse Source
This commit is contained in:
Evgenii Alekseev
2026-02-18 23:48:28 +02:00
parent 5266f54257
commit 6fe2eade26
6 changed files with 15 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/ahriman/web/apispec/info.py
View File

@@ -72,7 +72,7 @@ def _security() -> list[dict[str, Any]]:
return [{
"token": {
"type": "apiKey", # as per specification we are using api key
"name": "API_SESSION",
"name": "AHRIMAN",
"in": "cookie",
}
}]

10
src/ahriman/web/middlewares/auth_handler.py
View File

@@ -149,11 +149,17 @@ def setup_auth(application: Application, configuration: Configuration, validator
Application: configured web application
"""
secret_key = _cookie_secret_key(configuration)
storage = EncryptedCookieStorage(secret_key, cookie_name="API_SESSION", max_age=validator.max_age)
storage = EncryptedCookieStorage(
secret_key,
cookie_name="AHRIMAN",
max_age=validator.max_age,
httponly=True,
samesite="Strict",
)
setup_session(application, storage)
authorization_policy = _AuthorizationPolicy(validator)
identity_policy = aiohttp_security.SessionIdentityPolicy()
identity_policy = aiohttp_security.SessionIdentityPolicy("SESSION")
aiohttp_security.setup(application, identity_policy, authorization_policy)
application.middlewares.append(_auth_handler(validator.allow_read_only))

2
src/ahriman/web/schemas/auth_schema.py
View File

@@ -25,6 +25,6 @@ class AuthSchema(Schema):
request cookie authorization schema
"""
API_SESSION = fields.String(required=True, metadata={
AHRIMAN = fields.String(required=True, metadata={
"description": "API session key as returned from authorization",
})