about summary refs log tree commit diff
diff options
context:
space:
mode:
authorEugen Rochko <eugen@zeonfederated.com>2022-04-08 12:47:18 +0200
committerGitHub <noreply@github.com>2022-04-08 12:47:18 +0200
commit6e418bf3465d2df6b47e9b43d3b960504b81e8fb (patch)
tree8c57fbb98431dcfa477872cae3581f08102212b6
parent46633f1de1dafb860ee444d041f8454c4a0bd62f (diff)
Fix cookies secure flag being set when served over Tor (#17992)
Diffstat
-rw-r--r--config/application.rb1


-rw-r--r--config/initializers/devise.rb4


-rw-r--r--config/initializers/session_store.rb2


-rw-r--r--lib/action_dispatch/cookie_jar_extensions.rb25


4 files changed, 2 insertions, 30 deletions
diff --git a/config/application.rb b/config/application.rb
index bed935ce3..a1ba71f61 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -40,7 +40,6 @@ require_relative '../lib/devise/two_factor_pam_authenticatable'
 require_relative '../lib/chewy/strategy/custom_sidekiq'
 require_relative '../lib/webpacker/manifest_extensions'
 require_relative '../lib/webpacker/helper_extensions'
-require_relative '../lib/action_dispatch/cookie_jar_extensions'
 require_relative '../lib/rails/engine_extensions'
 require_relative '../lib/active_record/database_tasks_extensions'
 require_relative '../lib/active_record/batches'
diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index b434c68fa..c55bea7a7 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -8,7 +8,6 @@ Warden::Manager.after_set_user except: :fetch do |user, warden|
     value: session_id,
     expires: 1.year.from_now,
     httponly: true,
-    secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'),
     same_site: :lax,
   }
 end
@@ -23,7 +22,6 @@ Warden::Manager.after_fetch do |user, warden|
       value: session_id,
       expires: 1.year.from_now,
       httponly: true,
-      secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'),
       same_site: :lax,
     }
   else
@@ -265,7 +263,7 @@ Devise.setup do |config|
 
   # Options to be passed to the created cookie. For instance, you can set
   # secure: true in order to force SSL only cookies.
-  config.rememberable_options = { secure: true }
+  config.rememberable_options = {}
 
   # ==> Configuration for :validatable
   # Range for password length.
diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb
index 3d9bf96fd..210964b1f 100644
--- a/config/initializers/session_store.rb
+++ b/config/initializers/session_store.rb
@@ -2,5 +2,5 @@
 
 Rails.application.config.session_store :cookie_store,
   key: '_mastodon_session',
-  secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'),
+  secure: false, # All cookies have their secure flag set by the force_ssl option in production
   same_site: :lax
diff --git a/lib/action_dispatch/cookie_jar_extensions.rb b/lib/action_dispatch/cookie_jar_extensions.rb
deleted file mode 100644
index 1be9053ba..000000000
--- a/lib/action_dispatch/cookie_jar_extensions.rb
+++ /dev/null
@@ -1,25 +0,0 @@
-# frozen_string_literal: true
-
-module ActionDispatch
-  module CookieJarExtensions
-    private
-
-    # Monkey-patch ActionDispatch to serve secure cookies to Tor Hidden Service
-    # users. Otherwise, ActionDispatch would drop the cookie over HTTP.
-    def write_cookie?(*)
-      request.host.end_with?('.onion') || super
-    end
-  end
-end
-
-ActionDispatch::Cookies::CookieJar.prepend(ActionDispatch::CookieJarExtensions)
-
-module Rack
-  module SessionPersistedExtensions
-    def security_matches?(request, options)
-      request.host.end_with?('.onion') || super
-    end
-  end
-end
-
-Rack::Session::Abstract::Persisted.prepend(Rack::SessionPersistedExtensions)

 

generated by cgit-pink  (git 2.37.1) at 2024-06-29 11:31:04 +0000