From 1c15e859865abe1e34920a78087b783e4a1cbf2a Mon Sep 17 00:00:00 2001 From: Sean Morley Date: Thu, 20 Feb 2025 10:21:48 -0500 Subject: [PATCH] feat: Enhance session cookie domain handling for IP addresses and single-label hostnames --- backend/server/main/settings.py | 16 +++++++--------- docker-compose.yml | 10 +++++----- frontend/src/routes/+page.server.ts | 4 +++- frontend/src/routes/login/+page.server.ts | 4 +++- 4 files changed, 18 insertions(+), 16 deletions(-) diff --git a/backend/server/main/settings.py b/backend/server/main/settings.py index 71ae052..dd099a1 100644 --- a/backend/server/main/settings.py +++ b/backend/server/main/settings.py @@ -135,17 +135,14 @@ SESSION_COOKIE_SAMESITE = 'Lax' SESSION_COOKIE_SECURE = FRONTEND_URL.startswith('https') -# Parse the FRONTEND_URL -# Remove and ' from the URL - -parsed_url = urlparse(FRONTEND_URL) -hostname = parsed_url.hostname - -# Check if the hostname is an IP address +hostname = urlparse(FRONTEND_URL).hostname is_ip_address = hostname.replace('.', '').isdigit() -if is_ip_address: - # Do not set a domain for IP addresses +# Check if the hostname is single-label (no dots) +is_single_label = '.' not in hostname + +if is_ip_address or is_single_label: + # Do not set a domain for IP addresses or single-label hostnames SESSION_COOKIE_DOMAIN = None else: # Use publicsuffix2 to calculate the correct cookie domain @@ -156,6 +153,7 @@ else: # Fallback to the hostname if parsing fails SESSION_COOKIE_DOMAIN = hostname + # Static files (CSS, JavaScript, Images) # https://docs.djangoproject.com/en/1.7/howto/static-files/ diff --git a/docker-compose.yml b/docker-compose.yml index 562bd27..eca6a8c 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,7 +1,7 @@ services: web: - build: ./frontend/ - #image: ghcr.io/seanmorley15/adventurelog-frontend:latest + #build: ./frontend/ + image: ghcr.io/seanmorley15/adventurelog-frontend:latest container_name: adventurelog-frontend restart: unless-stopped environment: @@ -25,8 +25,8 @@ services: - postgres_data:/var/lib/postgresql/data/ server: - build: ./backend/ - #image: ghcr.io/seanmorley15/adventurelog-backend:latest + #build: ./backend/ + image: ghcr.io/seanmorley15/adventurelog-backend:latest container_name: adventurelog-backend restart: unless-stopped environment: @@ -38,7 +38,7 @@ services: - DJANGO_ADMIN_USERNAME=admin - DJANGO_ADMIN_PASSWORD=admin - DJANGO_ADMIN_EMAIL=admin@example.com - - PUBLIC_URL='http://localhost:8016' # Match the outward port, used for the creation of image urls + - PUBLIC_URL=http://localhost:8016 # Match the outward port, used for the creation of image urls - CSRF_TRUSTED_ORIGINS=http://localhost:8016,http://localhost:8015 # Comma separated list of trusted origins for CSRF - DEBUG=False - FRONTEND_URL=http://localhost:8015 # Used for email generation. This should be the url of the frontend diff --git a/frontend/src/routes/+page.server.ts b/frontend/src/routes/+page.server.ts index 2e441db..e722dbf 100644 --- a/frontend/src/routes/+page.server.ts +++ b/frontend/src/routes/+page.server.ts @@ -58,8 +58,10 @@ export const actions: Actions = { // Check if hostname is an IP address const isIPAddress = /^\d{1,3}(\.\d{1,3}){3}$/.test(hostname); + const isLocalhost = hostname === 'localhost'; + const isSingleLabel = hostname.split('.').length === 1; - if (!isIPAddress) { + if (!isIPAddress && !isSingleLabel && !isLocalhost) { const parsed = psl.parse(hostname); if (parsed && parsed.domain) { diff --git a/frontend/src/routes/login/+page.server.ts b/frontend/src/routes/login/+page.server.ts index 68dcd88..1422605 100644 --- a/frontend/src/routes/login/+page.server.ts +++ b/frontend/src/routes/login/+page.server.ts @@ -120,8 +120,10 @@ function handleSuccessfulLogin(event: RequestEvent, respo // Check if hostname is an IP address const isIPAddress = /^\d{1,3}(\.\d{1,3}){3}$/.test(hostname); + const isLocalhost = hostname === 'localhost'; + const isSingleLabel = hostname.split('.').length === 1; - if (!isIPAddress) { + if (!isIPAddress && !isSingleLabel && !isLocalhost) { const parsed = psl.parse(hostname); if (parsed && parsed.domain) {