Disable Secure cookies by default, enable when using HTTPS

Flagsmith · Jan 17, 2025 · 3323a9d · 3323a9d
1 parent 6c9ad03
commit 3323a9d
Show file tree

Hide file tree

Showing 6 changed files with 26 additions and 10 deletions.
diff --git a/api/app/settings/common.py b/api/app/settings/common.py
@@ -1043,8 +1043,8 @@
 PREVENT_SIGNUP = env.bool("PREVENT_SIGNUP", default=False)
 PREVENT_EMAIL_PASSWORD = env.bool("PREVENT_EMAIL_PASSWORD", default=False)
 COOKIE_AUTH_ENABLED = env.bool("COOKIE_AUTH_ENABLED", default=False)
-USE_SECURE_COOKIES = env.bool("USE_SECURE_COOKIES", default=True)
-COOKIE_SAME_SITE = env.str("COOKIE_SAME_SITE", default="none")
+USE_SECURE_COOKIES = env.bool("USE_SECURE_COOKIES", default=False)
+COOKIE_SAME_SITE = env.str("COOKIE_SAME_SITE", default=None)
 
 # CORS settings
 

diff --git a/api/app/views.py b/api/app/views.py
@@ -56,14 +56,22 @@ def project_overrides(request):
         "preventEmailPassword": "PREVENT_EMAIL_PASSWORD",
         "preventSignup": "PREVENT_SIGNUP",
         "sentry": "SENTRY_API_KEY",
-        "useSecureCookies": "USE_SECURE_COOKIES",
     }
 
     override_data = {
         key: getattr(settings, value)
         for key, value in config_mapping_dict.items()
         if getattr(settings, value, None) is not None
     }
+    is_secure_request = request.is_secure()
+    override_data["useSecureCookies"] = is_secure_request or settings.USE_SECURE_COOKIES
+    if settings.COOKIE_SAME_SITE is not None:
+        same_site = settings.COOKIE_SAME_SITE
+    elif is_secure_request:
+        same_site = "None"
+    else:
+        same_site = "Lax"
+    override_data["cookieSameSite"] = same_site
 
     return HttpResponse(
         content="window.projectOverrides = " + json.dumps(override_data),

diff --git a/api/custom_auth/jwt_cookie/services.py b/api/custom_auth/jwt_cookie/services.py
@@ -6,13 +6,13 @@
 from users.models import FFAdminUser
 
 
-def authorise_response(user: FFAdminUser, response: Response) -> Response:
+def authorise_response(user: FFAdminUser, response: Response, secure=False) -> Response:
     sliding_token = SlidingToken.for_user(user)
     response.set_cookie(
         JWT_SLIDING_COOKIE_KEY,
         str(sliding_token),
         httponly=True,
-        secure=settings.USE_SECURE_COOKIES,
+        secure=secure,
         samesite=settings.COOKIE_SAME_SITE,
     )
     return response
diff --git a/api/custom_auth/views.py b/api/custom_auth/views.py
@@ -60,7 +60,11 @@ def post(self, request: Request) -> Response:
             )
         except MFAMethodDoesNotExistError:
             if settings.COOKIE_AUTH_ENABLED:
-                return authorise_response(user, Response(status=HTTP_204_NO_CONTENT))
+                return authorise_response(
+                    user,
+                    Response(status=HTTP_204_NO_CONTENT),
+                    secure=request.is_secure(),
+                )
             return self._action(serializer)
 
 
@@ -83,7 +87,11 @@ def post(self, request: Request) -> Response:
             )
             serializer.user = user
             if settings.COOKIE_AUTH_ENABLED:
-                return authorise_response(user, Response(status=HTTP_204_NO_CONTENT))
+                return authorise_response(
+                    user,
+                    Response(status=HTTP_204_NO_CONTENT),
+                    secure=request.is_secure(),
+                )
             return self._action(serializer)
         except MFAValidationError as cause:
             return ErrorResponse(error=cause, status=status.HTTP_401_UNAUTHORIZED)

diff --git a/frontend/api/index.js b/frontend/api/index.js
@@ -117,8 +117,8 @@ app.get('/config/project-overrides', (req, res) => {
       value: envToBool('LINKEDIN_PARTNER_TRACKING', false),
     },
     { name: 'albacross', value: process.env.ALBACROSS_CLIENT_ID },
-    { name: 'useSecureCookies', value: envToBool('USE_SECURE_COOKIES', true) },
-    { name: 'cookieSameSite', value: process.env.USE_SECURE_COOKIES },
+    { name: 'useSecureCookies', value: envToBool('USE_SECURE_COOKIES', false) },
+    { name: 'cookieSameSite', value: process.env.COOKIE_SAME_SITE },
     { name: 'cookieAuthEnabled', value: process.env.COOKIE_AUTH_ENABLED },
     {
       name: 'githubAppURL',

diff --git a/frontend/web/project/api.js b/frontend/web/project/api.js
@@ -283,7 +283,7 @@ global.API = {
           require('js-cookie').set(key, v, {
             expires: 30,
             path: '/',
-            sameSite: Project.cookieSameSite || 'none',
+            sameSite: Project.cookieSameSite || 'Lax',
             secure: Project.useSecureCookies,
           })
         }