Skip to content

Commit

Permalink
fix(auth): set oauth2 state and nonce cookies with lax samesite policy (
Browse files Browse the repository at this point in the history
  • Loading branch information
axiomofjoy authored Sep 20, 2024
1 parent 4a101c7 commit d0d867c
Showing 1 changed file with 11 additions and 2 deletions.
13 changes: 11 additions & 2 deletions src/phoenix/auth.py
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,7 @@ def set_access_token_cookie(
response=response,
cookie_name=PHOENIX_ACCESS_TOKEN_COOKIE_NAME,
cookie_max_age=max_age,
samesite="strict",
value=access_token,
)

Expand All @@ -95,6 +96,7 @@ def set_refresh_token_cookie(
response=response,
cookie_name=PHOENIX_REFRESH_TOKEN_COOKIE_NAME,
cookie_max_age=max_age,
samesite="strict",
value=refresh_token,
)

Expand All @@ -106,6 +108,7 @@ def set_oauth2_state_cookie(
response=response,
cookie_name=PHOENIX_OAUTH2_STATE_COOKIE_NAME,
cookie_max_age=max_age,
samesite="lax",
value=state,
)

Expand All @@ -117,19 +120,25 @@ def set_oauth2_nonce_cookie(
response=response,
cookie_name=PHOENIX_OAUTH2_NONCE_COOKIE_NAME,
cookie_max_age=max_age,
samesite="lax",
value=nonce,
)


def _set_cookie(
response: ResponseType, cookie_name: str, cookie_max_age: timedelta, value: str
*,
response: ResponseType,
cookie_name: str,
cookie_max_age: timedelta,
samesite: Literal["strict", "lax"],
value: str,
) -> ResponseType:
response.set_cookie(
key=cookie_name,
value=value,
secure=get_env_phoenix_use_secure_cookies(),
httponly=True,
samesite="strict",
samesite=samesite,
max_age=int(cookie_max_age.total_seconds()),
)
return response
Expand Down

0 comments on commit d0d867c

Please sign in to comment.