summaryrefslogtreecommitdiff
path: root/lib/web/auth/github
diff options
context:
space:
mode:
authorSheogorath2020-06-10 15:08:39 +0200
committerSheogorath2020-06-10 15:16:32 +0200
commit3d1fab0512a828927f277796a0e23e8133230be5 (patch)
tree91e72624ababb53fe550868dc998bf2612447c58 /lib/web/auth/github
parent8cf3b50ee9108e06d7c9a0aac78b4fffa4ef4453 (diff)
Relax cookie restrictions to 'lax' to allow frontend to work
Our frontend requests the `/me` pathname in order to determine whether it's logged in or not. Due to the fact that the sameSite attribute of the session cookie was set to `strict` in a previous commit, the session token was no longer sent along with HTTP calls initiated by JS. This is due to the RFCs definition of "safe" HTTP calls in RFC7231. The bug triggers the UI to show up like an unauthenticated user, even after a successful login. In order to debug it a look into the send cookies to the `/me` turned out to be very enlightening. The fix this patch implements is rather simple, it replaces the sameSite attribute to `lax` which enables the cookies for those requests again. Some older and mobile clients were unaffected by this due to the lack of implementations of sameSite policies. References: https://tools.ietf.org/html/rfc7231#section-4.2.1 https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05#section-5.3.7.1 https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite https://github.com/codimd/server/commit/e77e7b165ac4920290015ec4b95e651730009edc Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
Diffstat (limited to '')
0 files changed, 0 insertions, 0 deletions