Spaces:
Running
Running
Allow iframe embedding
Browse files- app/main.py +8 -2
- tests/unit/test_iframe_session_cookie.py +38 -0
app/main.py
CHANGED
|
@@ -47,8 +47,14 @@ class SessionMiddleware(BaseHTTPMiddleware):
|
|
| 47 |
response = await call_next(request)
|
| 48 |
|
| 49 |
if created_new:
|
| 50 |
-
# Set cookie for 1 day
|
| 51 |
-
response.set_cookie(
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 52 |
|
| 53 |
return response
|
| 54 |
|
|
|
|
| 47 |
response = await call_next(request)
|
| 48 |
|
| 49 |
if created_new:
|
| 50 |
+
# Set cookie for 1 day (SameSite=None, Secure=True for iframe embedding)
|
| 51 |
+
response.set_cookie(
|
| 52 |
+
key="session_id",
|
| 53 |
+
value=session_id,
|
| 54 |
+
max_age=86400,
|
| 55 |
+
samesite="none",
|
| 56 |
+
secure=True
|
| 57 |
+
)
|
| 58 |
|
| 59 |
return response
|
| 60 |
|
tests/unit/test_iframe_session_cookie.py
ADDED
|
@@ -0,0 +1,38 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1 |
+
import sys
|
| 2 |
+
import os
|
| 3 |
+
|
| 4 |
+
# Add the project root to the python path
|
| 5 |
+
PROJECT_ROOT = os.path.abspath(os.path.join(os.path.dirname(__file__), '..', '..'))
|
| 6 |
+
sys.path.insert(0, PROJECT_ROOT)
|
| 7 |
+
|
| 8 |
+
from fastapi.testclient import TestClient
|
| 9 |
+
from app.main import app
|
| 10 |
+
|
| 11 |
+
def test_session_cookie_allows_cross_origin_iframe():
|
| 12 |
+
"""
|
| 13 |
+
Test to check if the session_id cookie is configured to allow
|
| 14 |
+
cross-origin iframe embedding and requests.
|
| 15 |
+
This requires SameSite=None and Secure=True HTTP cookie attributes.
|
| 16 |
+
"""
|
| 17 |
+
print("Running test_session_cookie_allows_cross_origin_iframe...", flush=True)
|
| 18 |
+
client = TestClient(app)
|
| 19 |
+
response = client.get("/")
|
| 20 |
+
assert response.status_code == 200
|
| 21 |
+
|
| 22 |
+
# Get the Set-Cookie header
|
| 23 |
+
set_cookie_header = response.headers.get("set-cookie")
|
| 24 |
+
assert set_cookie_header is not None, "No Set-Cookie header found"
|
| 25 |
+
print(f"Set-Cookie header found: {set_cookie_header}", flush=True)
|
| 26 |
+
|
| 27 |
+
# We expect 'session_id=' to be part of the setup
|
| 28 |
+
assert "session_id=" in set_cookie_header
|
| 29 |
+
|
| 30 |
+
# For iframe cross-origin, we must have SameSite=None and Secure
|
| 31 |
+
set_cookie_lower = set_cookie_header.lower()
|
| 32 |
+
|
| 33 |
+
assert "samesite=none" in set_cookie_lower, "Cookie must have SameSite=None to work in an iframe"
|
| 34 |
+
assert "secure" in set_cookie_lower, "Cookie must be marked Secure to use SameSite=None"
|
| 35 |
+
print("Test passed!", flush=True)
|
| 36 |
+
|
| 37 |
+
if __name__ == "__main__":
|
| 38 |
+
test_session_cookie_allows_cross_origin_iframe()
|