Add SameSite cookie attribute and set it to Strict

thevickypedia · Feb 18, 2024 · 93e774e · 93e774e
1 parent b7864bd
commit 93e774e
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 12 deletions.
diff --git a/.github/workflows/none.yml b/.github/workflows/none.yml
@@ -15,4 +15,4 @@ jobs:
       - uses: actions/checkout@v4
       - uses: thevickypedia/none-shall-pass@v4
         with:
-          excludeHostnames: "crates docs"
+          excludeHostnames: "crates"
diff --git a/src/routes/auth.rs b/src/routes/auth.rs
@@ -1,7 +1,7 @@
 use std::sync::{Arc, Mutex};
 
 use actix_web::{HttpRequest, HttpResponse, web};
-use actix_web::cookie::Cookie;
+use actix_web::cookie::{Cookie, SameSite};
 use actix_web::cookie::time::{Duration, OffsetDateTime};
 use actix_web::http::StatusCode;
 use minijinja;
@@ -30,7 +30,7 @@ pub struct DetailError {
 ///
 /// # Returns
 ///
-/// * `200` - HttpResponse with a session-token and redirect URL to the `/home` entrypoint.
+/// * `200` - HttpResponse with a `session_token` and redirect URL to the `/home` entrypoint.
 /// * `401` - HttpResponse with an error message for failed authentication.
 #[post("/login")]
 pub async fn login(config: web::Data<Arc<squire::settings::Config>>, request: HttpRequest) -> HttpResponse {
@@ -49,13 +49,15 @@ pub async fn login(config: web::Data<Arc<squire::settings::Config>>, request: Ht
     let payload = serde_json::to_string(&mapped).unwrap();
     let encrypted_payload = constant::FERNET.encrypt(payload.as_bytes());
 
-    let mut cookie = Cookie::build("session_token", encrypted_payload)
+    let cookie_duration = Duration::seconds(config.session_duration as i64);
+    let expiration = OffsetDateTime::now_utc() + cookie_duration;
+    let cookie = Cookie::build("session_token", encrypted_payload)
         .http_only(true)
+        .same_site(SameSite::Strict)
+        .max_age(cookie_duration)
+        .expires(expiration)
         .finish();
 
-    let expiration = OffsetDateTime::now_utc() + Duration::seconds(config.session_duration as i64);
-    cookie.set_expires(expiration);
-
     log::info!("Session for '{}' will be valid until {}", mapped.get("username").unwrap(), expiration);
 
     let mut response = HttpResponse::Ok().json(RedirectResponse {
@@ -102,10 +104,9 @@ pub async fn logout(config: web::Data<Arc<squire::settings::Config>>,
         }
         rendered = logout_template.render(minijinja::context!(detail => "You have been logged out successfully.")).unwrap();
 
-        // Set to the lowest possible second since deletion is not an option
-        let age = Duration::new(0, 1);
-        let cookie = Cookie::build("session_token", "logout")
-            .http_only(true).max_age(age).finish();
+        let mut cookie = Cookie::new("session_token", "");
+        cookie.set_same_site(SameSite::Strict);
+        cookie.make_removal();
         response.cookie(cookie);
     } else {
         log::debug!("No stored session found for {}", host);
@@ -197,6 +198,7 @@ pub fn failed_auth(auth_response: squire::authenticator::AuthToken) -> HttpRespo
     let cookie = Cookie::build("detail", detail)
         .path("/error")
         .http_only(true)
+        .same_site(SameSite::Strict)
         .max_age(age)
         .finish();
     response.cookie(cookie);

diff --git a/src/templates/session.rs b/src/templates/session.rs
@@ -3,7 +3,7 @@
 /// # See Also
 ///
 /// - This page is served as a response for all the content delivery entry points,
-/// when the user session-token is invalid or expired.
+/// when the user's `session_token` is invalid or expired.
 ///
 /// # Returns
 ///