Fix login logout on safari (#2309)

* fix: relax security level for public cookies * fix: corner case for logout
2024-03-07 11:22:42 +02:00 · 2024-03-07 11:22:42 +02:00 · cb5c9b03bf
commit cb5c9b03bf
parent 884a1b9d6f
3 changed files with 6 additions and 12 deletions
--- a/lnbits/app.py
+++ b/lnbits/app.py
@ -535,9 +535,7 @@ def register_exception_handlers(app: FastAPI):
                response = RedirectResponse("/")
                response.delete_cookie("cookie_access_token")
                response.delete_cookie("is_lnbits_user_authorized")
-                response.set_cookie(
+                response.set_cookie("is_access_token_expired", "true")
                    "is_access_token_expired", "true", samesite="none", secure=True
                )
                return response
            return template_renderer().TemplateResponse(
--- a/lnbits/core/views/auth_api.py
+++ b/lnbits/core/views/auth_api.py
@ -142,6 +142,8 @@ async def logout() -> JSONResponse:
    response.delete_cookie("cookie_access_token")
    response.delete_cookie("is_lnbits_user_authorized")
    response.delete_cookie("is_access_token_expired")
    response.delete_cookie("lnbits_last_active_wallet")
    return response
@ -286,9 +288,7 @@ def _auth_success_response(
    )
    response = JSONResponse({"access_token": access_token, "token_type": "bearer"})
    response.set_cookie("cookie_access_token", access_token, httponly=True)
-    response.set_cookie(
+    response.set_cookie("is_lnbits_user_authorized", "true")
        "is_lnbits_user_authorized", "true", samesite="none", secure=True
    )
    response.delete_cookie("is_access_token_expired")
    return response
@ -298,9 +298,7 @@ def _auth_redirect_response(path: str, email: str) -> RedirectResponse:
    access_token = create_access_token(data={"sub": "" or "", "email": email})
    response = RedirectResponse(path)
    response.set_cookie("cookie_access_token", access_token, httponly=True)
-    response.set_cookie(
+    response.set_cookie("is_lnbits_user_authorized", "true")
        "is_lnbits_user_authorized", "true", samesite="none", secure=True
    )
    response.delete_cookie("is_access_token_expired")
    return response
--- a/lnbits/core/views/generic.py
+++ b/lnbits/core/views/generic.py
@ -221,9 +221,7 @@ async def wallet(
            "web_manifest": f"/manifest/{user.id}.webmanifest",
        },
    )
-    resp.set_cookie(
+    resp.set_cookie("lnbits_last_active_wallet", wallet_id)
        "lnbits_last_active_wallet", wallet_id, samesite="none", secure=True
    )
    return resp