cookie fixes

backend/main.py

@@ -230,7 +230,7 @@ def post(self):
             mail_body = util.money_request_mail_test.format(
                 name=safeNameFrom, requester=safeNameTo, money=f"{amount:.2f}", url=util.domain)
             mail.send_mail("Überweisungsanfrage",
-                           mail.mail_from_username(username),mail_body)
+                           mail.mail_from_username(username), mail_body)
             db.add_message(user, outputDescription, f"von {safeNameTo}", request=json.dumps({
                            "to": toUser, "amount": amount}))
 
@@ -330,17 +330,19 @@ def delete(self, member_id):
             return util.build_response(db.remove_messages(member_id))
         return util.build_response("Unauthorized", code=403)
 
+
 @api.route('/users/<int:member_id>/messages/<int:message_id>')
 class user_messages(Resource):
     @authenticated
-    def delete(self, member_id,message_id):
+    def delete(self, member_id, message_id):
         """
         Removes all messages of a user
         """
         if is_self_or_admin(request, member_id):
             return util.build_response(db.remove_message(message_id))
         return util.build_response("Unauthorized", code=403)
 
+
 model = api.model('Add User', {
     'name': fields.String(description='Name of the new user', required=True),
     'alias': fields.String(description='Alias of the user', required=False),
@@ -774,9 +776,9 @@ def get(self):
 
         r = flask.redirect(util.OIDC_REDIRECT_MAIN_PAGE, code=302)
         r.set_cookie(f"{util.auth_cookie_memberID}memberID", str(user_id),
-                      max_age=util.cookie_expire, samesite='Strict')
+                     max_age=util.cookie_expire, samesite='Strict', secure=not util.logging_enabled)
         r.set_cookie(f"{util.auth_cookie_memberID}token", login_token,
-                      max_age=util.cookie_expire, samesite='Strict')
+                     max_age=util.cookie_expire, samesite='Strict', secure=not util.logging_enabled)
 
         return r
 
@@ -835,8 +837,10 @@ def post(self):
         """
         Invalidates the current token
         """
-        token_manager.delete_token(request.cookies.get(f"{util.auth_cookie_memberID}token"))
-        util.log("Logout", f"MemberID: {request.cookies.get(f'{util.auth_cookie_memberID}memberID')}")
+        token_manager.delete_token(request.cookies.get(
+            f"{util.auth_cookie_memberID}token"))
+        util.log(
+            "Logout", f"MemberID: {request.cookies.get(f'{util.auth_cookie_memberID}memberID')}")
         return util.build_response("OK")
 
 

backend/util.py

@@ -37,7 +37,7 @@
 password_hash_rounds = max(10000, int(os.environ.get(
     "PASSSWORD_HASH_ROUNDS"))) if os.environ.get("PASSSWORD_HASH_ROUNDS") else 500000
 
-auth_cookie_memberID=os.environ.get(
+auth_cookie_memberID = os.environ.get(
     "AUTH_COOKIE_PREFIX") if os.environ.get("AUTH_COOKIE_PREFIX") else ""
 
 mail_server = os.environ.get(
@@ -84,9 +84,9 @@ def build_response(message: object, code: int = 200, type: str = "application/js
     r = Response(response=json.dumps(message), status=code, mimetype=type)
     if cookieMemberID and cookieToken:
         r.set_cookie(f"{auth_cookie_memberID}memberID", str(cookieMemberID),
-                     max_age=cookie_expire, samesite='Strict')
+                     max_age=cookie_expire, samesite='Strict', secure=not logging_enabled)
         r.set_cookie(f"{auth_cookie_memberID}token", cookieToken,
-                     max_age=cookie_expire, samesite='Strict')
+                     max_age=cookie_expire, samesite='Strict', secure=not logging_enabled)
 
     return r
 
@@ -125,6 +125,6 @@ def get_user_info(access_token, resource_url):
 Viele Grüße
 """
 
-money_request_mail_test="""Hallo {name},
+money_request_mail_test = """Hallo {name},
 {requester} möchte eine Ausgabe von {money}€ mit dir teilen, gehe jetzt auf {url} um die Zahlung zu bestätigen.
-"""
+"""