diff --git a/src/auth/identification.py b/src/auth/identification.py index ab265525..5b3e2851 100644 --- a/src/auth/identification.py +++ b/src/auth/identification.py @@ -116,7 +116,8 @@ def _read_client_token(self, request_handler): def _write_client_token(self, client_id, request_handler): expiry_time = date_utils.get_current_millis() + days_to_ms(self.EXPIRES_DAYS) new_token = client_id + '&' + str(expiry_time) - request_handler.set_secure_cookie(self.COOKIE_KEY, new_token, expires_days=self.EXPIRES_DAYS) + server_config = request_handler.application.server_config + request_handler.set_secure_cookie(self.COOKIE_KEY, new_token, expires_days=self.EXPIRES_DAYS, secure=server_config.cookie_secure, httponly=True) def _can_write(self, request_handler): return can_write_secure_cookie(request_handler) diff --git a/src/auth/oauth_token_manager.py b/src/auth/oauth_token_manager.py index cc937292..84ae339b 100644 --- a/src/auth/oauth_token_manager.py +++ b/src/auth/oauth_token_manager.py @@ -24,7 +24,8 @@ def update_tokens(self, token_response: OAuthTokenResponse, username, request_ha if not self._enabled: return - request_handler.set_secure_cookie('token', token_response.access_token) + server_config = request_handler.application.server_config + request_handler.set_secure_cookie('token', token_response.access_token, httponly=True, secure=server_config.cookie_secure) if token_response.should_refresh(): refresh_token = token_response.refresh_token @@ -33,7 +34,7 @@ def update_tokens(self, token_response: OAuthTokenResponse, username, request_ha self._refresh_tokens[username] = refresh_token self._schedule_token_refresh(username, refresh_token, token_response.resolve_next_refresh_datetime()) - request_handler.set_secure_cookie('token_details', token_response.serialize_details()) + request_handler.set_secure_cookie('token_details', token_response.serialize_details(), httponly=True, secure=server_config.cookie_secure) def can_restore_state(self, request_handler): if not self._enabled: diff --git a/src/auth/tornado_auth.py b/src/auth/tornado_auth.py index 05b741a0..64f22138 100644 --- a/src/auth/tornado_auth.py +++ b/src/auth/tornado_auth.py @@ -88,7 +88,8 @@ def authenticate(self, request_handler): LOGGER.info('Authenticated user ' + username) - request_handler.set_secure_cookie('username', username, expires_days=self.authenticator.auth_expiration_days) + server_config = request_handler.application.server_config + request_handler.set_secure_cookie('username', username, expires_days=self.authenticator.auth_expiration_days, httponly=True, secure=server_config.cookie_secure) path = tornado.escape.url_unescape(request_handler.get_argument('next', '/')) diff --git a/src/model/server_conf.py b/src/model/server_conf.py index c3cf0de3..1bd0ab96 100644 --- a/src/model/server_conf.py +++ b/src/model/server_conf.py @@ -45,6 +45,7 @@ def __init__(self) -> None: self.xsrf_protection = None # noinspection PyTypeChecker self.env_vars: EnvVariables = None + self.cookie_secure = True def get_port(self): return self.port @@ -201,6 +202,7 @@ def from_json(conf_path, temp_folder): security = model_helper.read_dict(json_object, 'security') + config.cookie_secure = model_helper.read_bool_from_config('cookie_secure', security, default=True) config.allowed_users = _prepare_allowed_users(allowed_users, admin_users, user_groups) config.alerts_config = json_object.get('alerts') config.callbacks_config = json_object.get('callbacks') diff --git a/src/web/server.py b/src/web/server.py index 08c4389d..2b51eb43 100755 --- a/src/web/server.py +++ b/src/web/server.py @@ -864,6 +864,11 @@ def init(server_config: ServerConfig, 'websocket_ping_timeout': 300, 'compress_response': True, 'xsrf_cookies': server_config.xsrf_protection != XSRF_PROTECTION_DISABLED, + 'xsrf_cookie_kwargs': { + 'httponly': True, + 'secure': server_config.cookie_secure, + 'samesite': 'Lax' + }, } application = tornado.web.Application(handlers, **settings)