diff --git a/rain_api_core/auth.py b/rain_api_core/auth.py index 49b0b9e..96db5a2 100644 --- a/rain_api_core/auth.py +++ b/rain_api_core/auth.py @@ -143,4 +143,9 @@ def get_header_to_set_auth_cookie(self, user_profile: Optional[UserProfile], coo expire_date = format_7231_date(payload['exp']) else: expire_date = 'Thu, 01 Jan 1970 00:00:00 GMT' - return {'SET-COOKIE': f'{self.cookie_name}={cookie_value}; Expires={expire_date}; Path=/{cookie_domain}'} + return { + 'SET-COOKIE': ( + f'{self.cookie_name}={cookie_value}; Expires={expire_date}; Path=/{cookie_domain}; Secure; ' + 'HttpOnly; SameSite=Lax' + ) + } diff --git a/tests/test_auth.py b/tests/test_auth.py index fada2d2..1951907 100644 --- a/tests/test_auth.py +++ b/tests/test_auth.py @@ -163,17 +163,29 @@ def test_get_header_to_set_auth_cookie( ) header = jwt_manager.get_header_to_set_auth_cookie(profile, '') - assert header == {'SET-COOKIE': 'auth-cookie=COOKIE_VALUE; Expires=Thu, 01 Jan 1970 00:00:01 GMT; Path=/'} + assert header == { + 'SET-COOKIE': ( + 'auth-cookie=COOKIE_VALUE; Expires=Thu, 01 Jan 1970 00:00:01 GMT; Path=/; Secure; HttpOnly; SameSite=Lax' + ) + } header = jwt_manager.get_header_to_set_auth_cookie(profile, 'DOMAIN') assert header == { - 'SET-COOKIE': 'auth-cookie=COOKIE_VALUE; Expires=Thu, 01 Jan 1970 00:00:01 GMT; Path=/; Domain=DOMAIN' + 'SET-COOKIE': ( + 'auth-cookie=COOKIE_VALUE; Expires=Thu, 01 Jan 1970 00:00:01 GMT; Path=/; Domain=DOMAIN; Secure; HttpOnly; ' + 'SameSite=Lax' + ) } def test_get_header_to_set_auth_cookie_logout(jwt_manager): header = jwt_manager.get_header_to_set_auth_cookie(None, 'DOMAIN') - assert header == {'SET-COOKIE': 'auth-cookie=expired; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Path=/; Domain=DOMAIN'} + assert header == { + 'SET-COOKIE': ( + 'auth-cookie=expired; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Path=/; Domain=DOMAIN; Secure; HttpOnly; ' + 'SameSite=Lax' + ) + } @mock.patch(f'{MODULE}.time', autospec=True)