grantonthenet
/
microblog
forked from berserker/microblog
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix cookies secure flag being set when served over Tor (#17992)

Browse Source
main
Eugen Rochko 2 years ago committed by GitHub
parent 46633f1de1
commit 6e418bf346
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 2 additions and 30 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 1
      config/application.rb
  2. 4
      config/initializers/devise.rb
  3. 2
      config/initializers/session_store.rb
  4. 25
      lib/action_dispatch/cookie_jar_extensions.rb

1
config/application.rb
Unescape View File

@ -40,7 +40,6 @@ require_relative '../lib/devise/two_factor_pam_authenticatable'
require_relative '../lib/chewy/strategy/custom_sidekiq'
require_relative '../lib/webpacker/manifest_extensions'
require_relative '../lib/webpacker/helper_extensions'
require_relative '../lib/action_dispatch/cookie_jar_extensions'
require_relative '../lib/rails/engine_extensions'
require_relative '../lib/active_record/database_tasks_extensions'
require_relative '../lib/active_record/batches'

4
config/initializers/devise.rb
Unescape View File

@ -8,7 +8,6 @@ Warden::Manager.after_set_user except: :fetch do |user, warden|
value: session_id,
expires: 1.year.from_now,
httponly: true,
secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'),
same_site: :lax,
}
end
@ -23,7 +22,6 @@ Warden::Manager.after_fetch do |user, warden|
value: session_id,
expires: 1.year.from_now,
httponly: true,
secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'),
same_site: :lax,
}
else
@ -265,7 +263,7 @@ Devise.setup do |config|
# Options to be passed to the created cookie. For instance, you can set
# secure: true in order to force SSL only cookies.
config.rememberable_options = { secure: true }
config.rememberable_options = {}
# ==> Configuration for :validatable
# Range for password length.

2
config/initializers/session_store.rb
Unescape View File

@ -2,5 +2,5 @@
Rails.application.config.session_store :cookie_store,
key: '_mastodon_session',
secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'),
secure: false, # All cookies have their secure flag set by the force_ssl option in production
same_site: :lax

25
lib/action_dispatch/cookie_jar_extensions.rb
Unescape View File

@ -1,25 +0,0 @@
# frozen_string_literal: true
module ActionDispatch
module CookieJarExtensions
private
# Monkey-patch ActionDispatch to serve secure cookies to Tor Hidden Service
# users. Otherwise, ActionDispatch would drop the cookie over HTTP.
def write_cookie?(*)
request.host.end_with?('.onion') || super
end
end
end
ActionDispatch::Cookies::CookieJar.prepend(ActionDispatch::CookieJarExtensions)
module Rack
module SessionPersistedExtensions
def security_matches?(request, options)
request.host.end_with?('.onion') || super
end
end
end
Rack::Session::Abstract::Persisted.prepend(Rack::SessionPersistedExtensions)
Write Preview
Loading…
Cancel
Save