# HG changeset patch # User bsw # Date 1603208929 -7200 # Node ID 25ea15b4bd5ed391695395ed63f0191e7a070cce # Parent 1e5c1edf73882d497aac9f52567771f4ca2c03d0 Reworked cookie session control, exceptions for API diff -r 1e5c1edf7388 -r 25ea15b4bd5e app/main/_filter/20_session.lua --- a/app/main/_filter/20_session.lua Mon Oct 12 12:19:18 2020 +0200 +++ b/app/main/_filter/20_session.lua Tue Oct 20 17:48:49 2020 +0200 @@ -1,37 +1,58 @@ -local cookie = request.get_cookie{ name = config.cookie_name } -local cookie_samesite = request.get_cookie{ name = config.cookie_name_samesite } +local module = request.get_module() +local view = request.get_view() -local oauth2_session_request = request.get_module() == "oauth2" and request.get_view() == "session" +local need_session = false +local cors_request = false -if - cookie and cookie ~= cookie_samesite and not oauth2_session_request -then - slot.put_into("error", _"Cookie error. Try restarting your web browser and login again.") - ui.script{ script = [[ - function cookie_by_name(name) { - var match = document.cookie.match(new RegExp('(^| )' + name + '=([^;]+)')); - if (match) return match[2]; - } - var cookie = (cookie_by_name("]] .. config.cookie_name .. [[")); - var cookie_samesite = (cookie_by_name("]] .. config.cookie_name_samesite ..[[")); - if (cookie != cookie_samesite) { - document.cookie = "]] .. config.cookie_name .. [[= ; expires = Thu, 01 Jan 1970 00:00:00 GMT" - document.cookie = "]] .. config.cookie_name_samesite .. [[= ; expires = Thu, 01 Jan 1970 00:00:00 GMT" - window.location = "]] .. request.get_absolute_baseurl() .. [["; - } - ]]} - return +if module == "api" then + need_session = false +elseif module == "oauth2" then + if view == "authorization" then + need_session = true + elseif view == "session" then + need_session = true + cors_request = true + else + need_session = false + end +else + need_session = true end -if cookie then - app.session = Session:by_ident(cookie) -end +if need_session then + + local cookie = request.get_cookie{ name = config.cookie_name } -if not app.session then - app.session = Session:new() - if not oauth2_session_request then + if not cors_request then + local cookie_samesite = request.get_cookie{ name = config.cookie_name_samesite } + if cookie ~= cookie_samesite then + slot.put_into("error", _"Cookie error. Try restarting your web browser and login again.") + ui.script{ script = [[ + function cookie_by_name(name) { + var match = document.cookie.match(new RegExp('(^| )' + name + '=([^;]+)')); + if (match) return match[2]; + } + var cookie = (cookie_by_name("]] .. config.cookie_name .. [[")); + var cookie_samesite = (cookie_by_name("]] .. config.cookie_name_samesite ..[[")); + if (cookie != cookie_samesite) { + document.cookie = "]] .. config.cookie_name .. [[= ; expires = Thu, 01 Jan 1970 00:00:00 GMT" + document.cookie = "]] .. config.cookie_name_samesite .. [[= ; expires = Thu, 01 Jan 1970 00:00:00 GMT" + window.location = "]] .. request.get_absolute_baseurl() .. [["; + } + ]]} + return + end + end + + if cookie then + app.session = Session:by_ident(cookie) + end + + if not cors_request and not app.session then + app.session = Session:new() app.session:set_cookie() end + end locale.set{ lang = app.session.lang or config.default_lang or "en" } diff -r 1e5c1edf7388 -r 25ea15b4bd5e app/main/oauth2/session.lua --- a/app/main/oauth2/session.lua Mon Oct 12 12:19:18 2020 +0200 +++ b/app/main/oauth2/session.lua Tue Oct 20 17:48:49 2020 +0200 @@ -8,7 +8,7 @@ member_id = json.null } -if app.session.member_id then +if app.session and app.session.member_id then local origin = request.get_header("Origin") if origin then local system_applications = SystemApplication:by_origin(origin)