Mirrors/wireguard_webadmin
1
0
Fork 0
mirror of https://github.com/eduardogsilva/wireguard_webadmin.git synced 2026-03-17 22:36:17 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

enhance security by enforcing strict SameSite cookies, validating OIDC callback host, and improving path matching logic

Browse Source
This commit is contained in:
Eduardo Silva
2026-03-16 19:35:24 -03:00
parent 3a8d807665
commit bf1991457a
5 changed files with 25 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
containers/auth-gateway/auth_gateway/web/login_routes.py
View File

@@ -43,7 +43,7 @@ def _redirect_with_cookie(request: Request, destination: str, session) -> Redire
value=session.session_id,
httponly=True,
secure=request.app.state.settings.secure_cookies,
samesite="lax",
samesite="strict",
path="/",
)
return response
@@ -237,6 +237,11 @@ async def login_oidc_callback(request: Request, state: str):
if not oidc_state:
return _render(request, "error.html", status_code=400, title="Invalid OIDC state", message="The OIDC login state is missing or expired.")
callback_host = normalize_host(request.headers.get("host", ""))
if oidc_state.host != callback_host:
logger.warning("OIDC callback host mismatch: expected '%s', got '%s'", oidc_state.host, callback_host)
return _render(request, "error.html", status_code=400, title="OIDC callback host mismatch", message="The OIDC callback host does not match the original request host.")
context = resolve_context_from_request(request, runtime_config, oidc_state.next_url)
effective_policy = get_effective_policy(runtime_config, context.policy_name)
method = runtime_config.auth_methods.get(oidc_state.method_name)