Fix session cookie

2024-11-01 03:40:49 +00:00 · 2024-11-01 03:40:49 +00:00 · f9b39d0df8
parent 86ea93545b
commit f9b39d0df8
1 changed files with 16 additions and 9 deletions
--- a/backend/src/google_oauth.rs
+++ b/backend/src/google_oauth.rs
@ -11,6 +11,7 @@ use axum::{
 use axum_extra::TypedHeader;
 use dotenvy::var;
 use headers::Cookie;
+use http::{HeaderMap, HeaderValue};
 use oauth2::{
    basic::BasicClient, reqwest::http_client, AuthUrl, AuthorizationCode, ClientId, ClientSecret,
    CsrfToken, PkceCodeChallenge, PkceCodeVerifier, RedirectUrl, RevocationUrl, Scope,
@ -109,10 +110,15 @@ pub async fn google_auth_return(
 ) -> Result<impl IntoResponse, AppError> {
    let state = CsrfToken::new(params.remove("state").ok_or("OAuth: without state")?);
    let code = AuthorizationCode::new(params.remove("code").ok_or("OAuth: without code")?);
-    let mut headers = axum::response::AppendHeaders([(
+    let mut headers = HeaderMap::new();
+    headers.insert(
+        axum::http::header::CACHE_CONTROL,
+        HeaderValue::from_static("no-store, no-cache, must-revalidate, max-age=0"),
+    );
+    headers.insert(
        axum::http::header::SET_COOKIE,
-        "session_token=".to_owned() + "; path=/; httponly; secure; samesite=strict",
-    )]);
+        HeaderValue::from_static("session_token=deleted; path=/; httponly; secure; samesite=strict"),
+    );

    let query: (String, String) = sqlx::query_as(
        r#"DELETE FROM oauth2_state_storage WHERE csrf_state = ? RETURNING pkce_code_verifier,return_url"#,
@ -229,12 +235,13 @@ pub async fn google_auth_return(
            let session_token_p2 = Uuid::new_v4().to_string();
            let session_token =
                [session_token_p1.as_str(), "_", session_token_p2.as_str()].concat();
-            headers = axum::response::AppendHeaders([(
-                axum::http::header::SET_COOKIE,
-                "session_token=".to_owned()
-                    + &*session_token
-                    + "; path=/; httponly; secure; samesite=strict",
-            )]);
+                *headers.entry(axum::http::header::SET_COOKIE).or_insert(HeaderValue::from_static("")) = 
+                    HeaderValue::from_str(
+                        &format!(
+                            "session_token={}; httponly; secure; samesite=lax", // path=/; samesite=strict
+                            session_token
+                        )
+                    ).map_err(|_| AppError::new("Failed to create session token header"))?;
            let now = Utc::now().timestamp();

            sqlx::query(