Add more cookie options

ahopkins · Jun 10, 2020 · a21f7d3 · a21f7d3
1 parent 47399fc
commit a21f7d3
Show file tree

Hide file tree

Showing 24 changed files with 145 additions and 47 deletions.
diff --git a/example/basic_with_user_secrets.py b/example/basic_with_user_secrets.py
@@ -48,6 +48,7 @@ async def retrieve_user_secret(user_id):
     print(f"{user_id=}")
     return f"user_id|{user_id}"
 
+
 app = Sanic(__name__)
 Initialize(
     app,

diff --git a/example/inline_tokens_and_verification.py b/example/inline_tokens_and_verification.py
@@ -36,7 +36,9 @@ async def run():
 
     payload = await app.auth.verify_token(token, return_payload=True)
     try:
-        is_verified = await app.auth.verify_token(token, custom_claims=[UserIsPrime])
+        is_verified = await app.auth.verify_token(
+            token, custom_claims=[UserIsPrime]
+        )
     except exceptions.InvalidCustomClaimError:
         is_verified = False
     finally:
@@ -50,7 +52,9 @@ async def run():
 
     payload = await app.auth.verify_token(token, return_payload=True)
     try:
-        is_verified = await app.auth.verify_token(token, custom_claims=[UserIsPrime])
+        is_verified = await app.auth.verify_token(
+            token, custom_claims=[UserIsPrime]
+        )
     except exceptions.InvalidCustomClaimError:
         is_verified = False
     finally:

diff --git a/sanic_jwt/authentication.py b/sanic_jwt/authentication.py
@@ -7,8 +7,12 @@
 import jwt
 
 from . import exceptions, utils
-from .exceptions import (InvalidCustomClaimError, InvalidVerification,
-                         InvalidVerificationError, SanicJWTException)
+from .exceptions import (
+    InvalidCustomClaimError,
+    InvalidVerification,
+    InvalidVerificationError,
+    SanicJWTException
+)
 
 logger = logging.getLogger(__name__)
 claim_label = {"iss": "issuer", "iat": "iat", "nbf": "nbf", "aud": "audience"}
@@ -125,7 +129,9 @@ async def retrieve_user(self, *args, **kwargs):
 
 
 class Authentication(BaseAuthentication):
-    async def _check_authentication(self, request, request_args, request_kwargs):
+    async def _check_authentication(
+        self, request, request_args, request_kwargs
+    ):
         """
         Checks a request object to determine if that request contains a valid,
         and authenticated JWT.
@@ -247,13 +253,14 @@ async def _get_secret(self, token=None, payload=None, encode=False):
         if self.config.user_secret_enabled():
             if not payload:
                 algorithm = self._get_algorithm()
-                payload = jwt.decode(token, verify=False,
-                                     algorithms=[algorithm])
+                payload = jwt.decode(
+                    token, verify=False, algorithms=[algorithm]
+                )
             user_id = payload.get("user_id")
             return await utils.call(
                 self.retrieve_user_secret,
                 user_id=user_id,
-                encode=self._is_asymmetric and encode
+                encode=self._is_asymmetric and encode,
             )
 
         if self._is_asymmetric and encode:
@@ -273,7 +280,7 @@ def _get_token_from_cookies(self, request, refresh_token):
         token = request.cookies.get(cookie_token_name(), None)
         if not refresh_token and self.config.cookie_split() and token:
             signature_name = self.config.cookie_split_signature_name()
-            token += "." + request.cookies.get(signature_name, '')
+            token += "." + request.cookies.get(signature_name, "")
         return token
 
     def _get_token_from_headers(self, request, refresh_token):
@@ -516,7 +523,9 @@ async def is_authenticated(self, request):
     async def retrieve_refresh_token_from_request(self, request):
         return await self._get_refresh_token(request)
 
-    async def verify_token(self, token, return_payload=False, custom_claims=None):
+    async def verify_token(
+        self, token, return_payload=False, custom_claims=None
+    ):
         """
         Perform an inline verification of a token.
         """

diff --git a/sanic_jwt/configuration.py b/sanic_jwt/configuration.py
@@ -19,9 +19,12 @@
     "claim_nbf_delta": 0,
     "cookie_access_token_name": "access_token",
     "cookie_domain": "",
+    "cookie_expires": None,
     "cookie_httponly": True,
+    "cookie_max_age": 0,
     "cookie_path": "/",
     "cookie_refresh_token_name": "refresh_token",
+    "cookie_secure": False,
     "cookie_set": False,
     "cookie_split": False,
     "cookie_split_signature_name": "access_token_signature",

diff --git a/sanic_jwt/decorators.py b/sanic_jwt/decorators.py
@@ -231,7 +231,9 @@ async def decorated_function(request, *args, **kwargs):
                         f, request, *args, **kwargs
                     )  # noqa
 
-                payload = await instance.auth.extract_payload(request, verify=False)
+                payload = await instance.auth.extract_payload(
+                    request, verify=False
+                )
                 user = await utils.call(
                     instance.auth.retrieve_user, request, payload
                 )

diff --git a/sanic_jwt/endpoints.py b/sanic_jwt/endpoints.py
@@ -147,7 +147,9 @@ async def post(self, request, *args, **kwargs):
 
         # TODO:
         # - Add more exceptions
-        payload = await self.instance.auth.extract_payload(request, verify=False)
+        payload = await self.instance.auth.extract_payload(
+            request, verify=False
+        )
 
         try:
             user = await utils.call(

diff --git a/sanic_jwt/exceptions.py b/sanic_jwt/exceptions.py
@@ -117,9 +117,7 @@ class UserSecretNotImplemented(SanicJWTException):
     status_code = 500
 
     def __init__(
-        self,
-        message="User secrets have not been enabled.",
-        **kwargs
+        self, message="User secrets have not been enabled.", **kwargs
     ):
         super().__init__(message, **kwargs)
 

diff --git a/sanic_jwt/responses.py b/sanic_jwt/responses.py
@@ -2,15 +2,25 @@
 
 from .base import BaseDerivative
 
+COOKIE_OPTIONS = (
+    ("domain", "cookie_domain"),
+    ("expires", "cookie_expires"),
+    ("max-age", "cookie_max_age"),
+    ("secure", "cookie_secure"),
+)
+
 
 def _set_cookie(response, key, value, config, force_httponly=None):
     response.cookies[key] = value
-    response.cookies[key]["httponly"] = config.cookie_httponly() if force_httponly is None else force_httponly
+    response.cookies[key]["httponly"] = (
+        config.cookie_httponly() if force_httponly is None else force_httponly
+    )
     response.cookies[key]["path"] = config.cookie_path()
 
-    domain = config.cookie_domain()
-    if domain:
-        response.cookies[key]["domain"] = domain
+    for item, option in COOKIE_OPTIONS:
+        value = getattr(config, option)()
+        if value:
+            response.cookies[key][item] = value
 
 
 class Responses(BaseDerivative):
@@ -33,9 +43,19 @@ def get_token_response(
 
             if config.cookie_split():
                 signature_name = config.cookie_split_signature_name()
-                header_payload, signature = access_token.rsplit('.', maxsplit=1)
-                _set_cookie(response, key, header_payload, config, force_httponly=False)
-                _set_cookie(response, signature_name, signature, config, force_httponly=True)
+                header_payload, signature = access_token.rsplit(
+                    ".", maxsplit=1
+                )
+                _set_cookie(
+                    response, key, header_payload, config, force_httponly=False
+                )
+                _set_cookie(
+                    response,
+                    signature_name,
+                    signature,
+                    config,
+                    force_httponly=True,
+                )
             else:
                 _set_cookie(response, key, access_token, config)
 

diff --git a/tests/conftest.py b/tests/conftest.py
@@ -73,6 +73,7 @@ async def retrieve_user(request, payload, *args, **kwargs):
 def retrieve_user_secret():
     async def retrieve_user_secret(user_id, **kwargs):
         return f"foobar<{user_id}>"
+
     yield retrieve_user_secret
 
 

diff --git a/tests/test_async_options.py b/tests/test_async_options.py
@@ -4,12 +4,12 @@
 """
 
 
+import jwt
 import pytest
 from sanic import Blueprint, Sanic
 from sanic.response import text
 from sanic.views import HTTPMethodView
 
-import jwt
 from sanic_jwt import Authentication, initialize, protected
 
 ALL_METHODS = ["GET", "OPTIONS"]

diff --git a/tests/test_claims.py b/tests/test_claims.py
@@ -1,6 +1,7 @@
 from datetime import datetime, timedelta
 
 import jwt
+
 from freezegun import freeze_time
 
 

diff --git a/tests/test_complete_authentication.py b/tests/test_complete_authentication.py
@@ -1,10 +1,10 @@
 from datetime import datetime, timedelta
 
+import jwt
 import pytest
 from sanic import Sanic
 from sanic.response import json
 
-import jwt
 from freezegun import freeze_time
 from sanic_jwt import Authentication, exceptions, Initialize, protected
 

diff --git a/tests/test_custom_claims.py b/tests/test_custom_claims.py
@@ -1,7 +1,7 @@
+import jwt
 import pytest
 from sanic import Sanic
 
-import jwt
 from sanic_jwt import Claim, exceptions, Initialize
 
 

diff --git a/tests/test_decorators.py b/tests/test_decorators.py
@@ -1,6 +1,6 @@
 from sanic import Sanic
 from sanic.blueprints import Blueprint
-from sanic.response import json, text, html
+from sanic.response import html, json, text
 
 from sanic_jwt import Initialize
 from sanic_jwt.decorators import inject_user, protected, scoped
@@ -233,7 +233,7 @@ async def my_protected_static(request):
     request, response = sanic_app.test_client.get("/protected/static")
 
     assert response.status == 200
-    assert response.body == b'<html><body>Home</body></html>'
+    assert response.body == b"<html><body>Home</body></html>"
     assert response.history
     assert response.history[0].status_code == 302
 

diff --git a/tests/test_decorators_override_config.py b/tests/test_decorators_override_config.py
@@ -1,10 +1,10 @@
 from datetime import datetime, timedelta
 
+import jwt
 from sanic import Sanic
 from sanic.blueprints import Blueprint
 from sanic.response import json
 
-import jwt
 from freezegun import freeze_time
 from sanic_jwt import Initialize
 from sanic_jwt.decorators import protected

diff --git a/tests/test_endpoints_auth.py b/tests/test_endpoints_auth.py
@@ -1,6 +1,5 @@
-import pytest
-
 import jwt
+import pytest
 
 
 @pytest.fixture

diff --git a/tests/test_endpoints_basic.py b/tests/test_endpoints_basic.py
@@ -1,6 +1,5 @@
-import pytest
-
 import jwt
+import pytest
 
 
 def test_unprotected(app):

diff --git a/tests/test_endpoints_cbv.py b/tests/test_endpoints_cbv.py
@@ -1,8 +1,8 @@
+import jwt
 from sanic import Sanic
 from sanic.response import json
 from sanic.views import HTTPMethodView
 
-import jwt
 from sanic_jwt import exceptions, Initialize
 from sanic_jwt.decorators import protected
 

diff --git a/tests/test_endpoints_cookies.py b/tests/test_endpoints_cookies.py
@@ -1,11 +1,12 @@
 import binascii
 import os
+from datetime import datetime
 
 import jwt
 import pytest
-
 from sanic import Sanic
 from sanic.response import json
+
 from sanic_jwt import Initialize, protected
 
 
@@ -426,6 +427,7 @@ def test_config_with_cookie_path(users, authenticate):
     cookie = response.raw_cookies.get("access_token")
     assert cookie.path == path
 
+
 def test_with_split_cookie(app):
     sanic_app, sanicjwt = app
     sanicjwt.config.cookie_set.update(True)
@@ -444,13 +446,17 @@ def test_with_split_cookie(app):
     assert token_cookie
     assert signature_cookie
 
-    raw_token_cookie, raw_signature_cookie = [value.decode(response.headers.encoding) for key, value in response.headers.raw if key.lower() == b'set-cookie']
-
+    raw_token_cookie, raw_signature_cookie = [
+        value.decode(response.headers.encoding)
+        for key, value in response.headers.raw
+        if key.lower() == b"set-cookie"
+    ]
+
     assert raw_token_cookie
     assert raw_signature_cookie
 
-    assert token_cookie.value.count('.') == 1
-    assert signature_cookie.value.count('.') == 0
+    assert token_cookie.value.count(".") == 1
+    assert signature_cookie.value.count(".") == 0
     assert "HttpOnly" not in raw_token_cookie
     assert "HttpOnly" in raw_signature_cookie
 
@@ -475,3 +481,52 @@ def test_with_split_cookie(app):
 
     assert response.status == 200
     assert response.json.get("valid") == True
+
+
+def test_with_cookie_normal(app):
+    sanic_app, sanicjwt = app
+    sanicjwt.config.cookie_set.update(True)
+
+    _, response = sanic_app.test_client.post(
+        "/auth",
+        json={"username": "user1", "password": "abcxyz"},
+        raw_cookies=True,
+    )
+
+    raw_token_cookie = [
+        value.decode(response.headers.encoding)
+        for key, value in response.headers.raw
+        if key.lower() == b"set-cookie"
+    ][0]
+
+    assert raw_token_cookie
+    assert "httponly" in raw_token_cookie.lower()
+    assert "expired" not in raw_token_cookie.lower()
+    assert "secure" not in raw_token_cookie.lower()
+    assert "max-age" not in raw_token_cookie.lower()
+
+
+def test_with_cookie_config(app):
+    sanic_app, sanicjwt = app
+    sanicjwt.config.cookie_set.update(True)
+    sanicjwt.config.cookie_httponly.update(False)
+    sanicjwt.config.cookie_expires.update(datetime(2100, 1, 1))
+    sanicjwt.config.cookie_secure.update(True)
+    sanicjwt.config.cookie_max_age.update(10)
+
+    _, response = sanic_app.test_client.post(
+        "/auth",
+        json={"username": "user1", "password": "abcxyz"},
+        raw_cookies=True,
+    )
+
+    raw_token_cookie = [
+        value.decode(response.headers.encoding)
+        for key, value in response.headers.raw
+        if key.lower() == b"set-cookie"
+    ][0]
+    assert raw_token_cookie
+    assert "httponly" not in raw_token_cookie.lower()
+    assert "expires=fri, 01-jan-2100 00:00:00 gmt" in raw_token_cookie.lower()
+    assert "secure" in raw_token_cookie.lower()
+    assert "max-age=10" in raw_token_cookie.lower()