apunkt/SurfSense
1
0
Fork 0
mirror of https://github.com/MODSetter/SurfSense.git synced 2026-04-25 00:36:31 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

feat: enhance CSRF cookie configuration for OAuth

Browse source 
- Added support for SameSite attribute in CSRF cookies to handle cross-origin requests.
- Set SameSite to 'none' for secure contexts and 'lax' for local development.
This commit is contained in:
DESKTOP-RTLN3BA\$punk 2025-12-19 15:03:12 -08:00
parent 231c36805d
commit 7e383b3fe2
1 changed files with 8 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

8
surfsense_backend/app/app.py
View file

@ -105,6 +105,12 @@ if config.AUTH_TYPE == "GOOGLE":
# The CSRF cookie must have secure=False for HTTP (localhost development)
is_secure_context = config.BACKEND_URL and config.BACKEND_URL.startswith("https://")
# For cross-origin OAuth (frontend and backend on different domains):
# - SameSite=None is required to allow cross-origin cookie setting
# - Secure=True is required when SameSite=None
# For same-origin or local development, use SameSite=Lax (default)
csrf_cookie_samesite = "none" if is_secure_context else "lax"
app.include_router(
fastapi_users.get_oauth_router(
google_oauth_client,
@ -112,6 +118,7 @@ if config.AUTH_TYPE == "GOOGLE":
SECRET,
is_verified_by_default=True,
csrf_token_cookie_secure=is_secure_context,
csrf_token_cookie_samesite=csrf_cookie_samesite,
)
if not config.BACKEND_URL
else fastapi_users.get_oauth_router(
@ -121,6 +128,7 @@ if config.AUTH_TYPE == "GOOGLE":
is_verified_by_default=True,
redirect_url=f"{config.BACKEND_URL}/auth/google/callback",
csrf_token_cookie_secure=is_secure_context,
csrf_token_cookie_samesite=csrf_cookie_samesite,
),
prefix="/auth/google",
tags=["auth"],