arcanis/ahriman
1
0
Fork 0
mirror of https://github.com/arcan1s/ahriman.git synced 2026-02-24 21:59:48 +00:00
Code Issues Projects Releases Wiki Activity

feat: (more) secure cookies

Browse Source
This commit is contained in:
Evgenii Alekseev
2026-02-18 23:48:28 +02:00
parent 5266f54257
commit 6fe2eade26
6 changed files with 15 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/ahriman/web/apispec/info.py
View File

@@ -72,7 +72,7 @@ def _security() -> list[dict[str, Any]]:
return [{ return [{
"token": { "token": {
"type": "apiKey", # as per specification we are using api key "type": "apiKey", # as per specification we are using api key
"name": "API_SESSION", "name": "AHRIMAN",
"in": "cookie", "in": "cookie",
} }
}] }]

10
src/ahriman/web/middlewares/auth_handler.py
View File

@@ -149,11 +149,17 @@ def setup_auth(application: Application, configuration: Configuration, validator
Application: configured web application Application: configured web application
""" """
secret_key = _cookie_secret_key(configuration) secret_key = _cookie_secret_key(configuration)
storage = EncryptedCookieStorage(secret_key, cookie_name="API_SESSION", max_age=validator.max_age) storage = EncryptedCookieStorage(
secret_key,
cookie_name="AHRIMAN",
max_age=validator.max_age,
httponly=True,
samesite="Strict",
)
setup_session(application, storage) setup_session(application, storage)
authorization_policy = _AuthorizationPolicy(validator) authorization_policy = _AuthorizationPolicy(validator)
identity_policy = aiohttp_security.SessionIdentityPolicy() identity_policy = aiohttp_security.SessionIdentityPolicy("SESSION")
aiohttp_security.setup(application, identity_policy, authorization_policy) aiohttp_security.setup(application, identity_policy, authorization_policy)
application.middlewares.append(_auth_handler(validator.allow_read_only)) application.middlewares.append(_auth_handler(validator.allow_read_only))

2
src/ahriman/web/schemas/auth_schema.py
View File

@@ -25,6 +25,6 @@ class AuthSchema(Schema):
request cookie authorization schema request cookie authorization schema
""" """
API_SESSION = fields.String(required=True, metadata={ AHRIMAN = fields.String(required=True, metadata={
"description": "API session key as returned from authorization", "description": "API session key as returned from authorization",
}) })

2
tests/ahriman/web/apispec/test_info.py
View File

@@ -23,7 +23,7 @@ def test_security() -> None:
must generate security definitions for swagger must generate security definitions for swagger
""" """
token = next(iter(_security()))["token"] token = next(iter(_security()))["token"]
assert token == {"type": "apiKey", "name": "API_SESSION", "in": "cookie"} assert token == {"type": "apiKey", "name": "AHRIMAN", "in": "cookie"}
def test_servers(application: Application) -> None: def test_servers(application: Application) -> None:

2
tests/ahriman/web/schemas/test_auth_schema.py
View File

@@ -6,4 +6,4 @@ def test_schema() -> None:
must return valid schema must return valid schema
""" """
schema = AuthSchema() schema = AuthSchema()
assert not schema.validate({"API_SESSION": "key"}) assert not schema.validate({"AHRIMAN": "key"})

6
tests/ahriman/web/views/api/test_view_api_swagger.py
View File

@@ -27,7 +27,7 @@ def _client(client: TestClient, mocker: MockerFixture) -> TestClient:
"parameters": [ "parameters": [
{ {
"in": "cookie", "in": "cookie",
"name": "API_SESSION", "name": "AHRIMAN",
"schema": { "schema": {
"type": "string", "type": "string",
}, },
@@ -39,7 +39,7 @@ def _client(client: TestClient, mocker: MockerFixture) -> TestClient:
"parameters": [ "parameters": [
{ {
"in": "cookie", "in": "cookie",
"name": "API_SESSION", "name": "AHRIMAN",
"schema": { "schema": {
"type": "string", "type": "string",
}, },
@@ -60,7 +60,7 @@ def _client(client: TestClient, mocker: MockerFixture) -> TestClient:
{ {
"token": { "token": {
"type": "apiKey", "type": "apiKey",
"name": "API_SESSION", "name": "AHRIMAN",
"in": "cookie", "in": "cookie",
}, },
}, },