fix: configure sessions to be strictly same-site
This commit is contained in:
parent
0a2a578547
commit
a7e64bce7b
@ -5,7 +5,7 @@
|
||||
|
||||
static-dir: "_env:STATIC_DIR:static"
|
||||
well-known-dir: "_env:WELL_KNOWN_DIR:well-known"
|
||||
well-known-link-file: "html_code.html"
|
||||
well-known-link-file: html_code.html
|
||||
|
||||
webpack-manifest: "_env:WEBPACK_MANIFEST:config/webpack.yml"
|
||||
host: "_env:HOST:*4" # any IPv4 host
|
||||
@ -70,7 +70,7 @@ allow-deprecated: "_env:ALLOW_DEPRECATED:false"
|
||||
server-session-acid-fallback: "_env:SERVER_SESSION_ACID_FALLBACK:false"
|
||||
|
||||
auth-pw-hash:
|
||||
algorithm: "pbkdf2"
|
||||
algorithm: pbkdf2
|
||||
strength: 14
|
||||
|
||||
# Optional values with the following production defaults.
|
||||
@ -111,7 +111,7 @@ smtp:
|
||||
port: "_env:SMTPPORT:25"
|
||||
ssl: "_env:SMTPSSL:starttls"
|
||||
auth:
|
||||
type: "login"
|
||||
type: login
|
||||
user: "_env:SMTPUSER:"
|
||||
pass: "_env:SMTPPASS:"
|
||||
pool:
|
||||
@ -137,7 +137,7 @@ session-memcached:
|
||||
expiration: "_env:SESSION_MEMCACHED_EXPIRATION:28807"
|
||||
|
||||
server-sessions:
|
||||
cookie-name: "_SESSION"
|
||||
cookie-name: _SESSION
|
||||
idle-timeout: 28807
|
||||
absolute-timeout: 604801
|
||||
timeout-resolution: 601
|
||||
@ -146,6 +146,7 @@ server-sessions:
|
||||
secure-cookies: "_env:SERVER_SESSION_COOKIES_SECURE:true"
|
||||
session-token-expiration: 28807
|
||||
session-token-encoding: HS256
|
||||
session-samesite: strict
|
||||
|
||||
user-defaults:
|
||||
max-favourites: 12
|
||||
|
||||
@ -4,8 +4,8 @@ database:
|
||||
log-settings:
|
||||
detailed: true
|
||||
all: true
|
||||
minimum-level: "debug"
|
||||
destination: "test.log"
|
||||
minimum-level: debug
|
||||
destination: test.log
|
||||
|
||||
auth-dummy-login: true
|
||||
server-session-acid-fallback: true
|
||||
|
||||
@ -1469,7 +1469,7 @@ instance Yesod UniWorX where
|
||||
Nothing -> getApprootText guessApproot app req
|
||||
Just root -> root
|
||||
|
||||
makeSessionBackend app@UniWorX{ appSettings' = AppSettings{..}, ..} = case appSessionStore of
|
||||
makeSessionBackend app@UniWorX{ appSettings' = AppSettings{..}, ..} = sameSite $ case appSessionStore of
|
||||
SessionStorageMemcachedSql sqlStore
|
||||
-> mkBackend =<< stateSettings <$> ServerSession.createState sqlStore
|
||||
SessionStorageAcid acidStore
|
||||
@ -1494,6 +1494,13 @@ instance Yesod UniWorX where
|
||||
mkBackend = JwtSession.backend cfg (JwtSession.siteApproot app)
|
||||
stateSettings :: forall sto. ServerSession.State sto -> ServerSession.State sto
|
||||
stateSettings = applyServerSessionSettings appServerSessionConfig
|
||||
sameSite
|
||||
| Just SameSiteStrict <- appSessionSameSite
|
||||
= strictSameSiteSessions
|
||||
| Just SameSiteLax <- appSessionSameSite
|
||||
= laxSameSiteSessions
|
||||
| otherwise
|
||||
= id
|
||||
|
||||
maximumContentLength app _ = app ^. _appMaximumContentLength
|
||||
|
||||
|
||||
@ -98,6 +98,7 @@ data AppSettings = AppSettings
|
||||
, appSessionMemcachedConf :: Maybe MemcachedConf
|
||||
, appSessionTokenExpiration :: Maybe NominalDiffTime
|
||||
, appSessionTokenEncoding :: JwtEncoding
|
||||
, appSessionSameSite :: Maybe SameSite
|
||||
|
||||
, appMailFrom :: Address
|
||||
, appMailObjectDomain :: Text
|
||||
@ -158,6 +159,10 @@ data AppSettings = AppSettings
|
||||
, appRibbon :: Maybe Text
|
||||
} deriving Show
|
||||
|
||||
data SameSite = SameSiteStrict | SameSiteLax
|
||||
deriving stock (Eq, Ord, Read, Show, Enum, Bounded, Generic, Typeable)
|
||||
deriving anyclass (Universe, Finite)
|
||||
|
||||
newtype ServerSessionSettings
|
||||
= ServerSessionSettings { applyServerSessionSettings :: forall a. ServerSession.State a -> ServerSession.State a }
|
||||
|
||||
@ -272,6 +277,9 @@ data SmtpAuthConf = SmtpAuthConf
|
||||
, smtpAuthPassword :: HaskellNet.Password
|
||||
} deriving (Show)
|
||||
|
||||
nullaryPathPiece ''SameSite $ camelToPathPiece' 2
|
||||
pathPieceJSON ''SameSite
|
||||
|
||||
deriveJSON defaultOptions
|
||||
{ constructorTagModifier = camelToPathPiece' 2
|
||||
, fieldLabelModifier = camelToPathPiece' 2
|
||||
@ -491,6 +499,7 @@ instance FromJSON AppSettings where
|
||||
appServerSessionConfig <- o .: "server-sessions"
|
||||
appSessionTokenExpiration <- o .:? "session-token-expiration"
|
||||
appSessionTokenEncoding <- o .: "session-token-encoding"
|
||||
appSessionSameSite <- o .:? "session-samesite"
|
||||
|
||||
return AppSettings{..}
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user