| login_routes.hpp (89492a157c9cf972b342421e24d41fd382510251) | login_routes.hpp (994fd86a3f6649a820f66313765e85e762ad105a) |
|---|---|
| 1#pragma once 2 3#include "app.hpp" 4#include "common.hpp" 5#include "http_request.hpp" 6#include "http_response.hpp" 7#include "multipart_parser.hpp" 8#include "pam_authenticate.hpp" --- 182 unchanged lines hidden (view full) --- 191 // code. 192 // TODO(ed).... Fix that upstream 193 194 asyncResp->res.jsonValue["data"] = 195 "User '" + std::string(username) + "' logged in"; 196 asyncResp->res.jsonValue["message"] = "200 OK"; 197 asyncResp->res.jsonValue["status"] = "ok"; 198 | 1#pragma once 2 3#include "app.hpp" 4#include "common.hpp" 5#include "http_request.hpp" 6#include "http_response.hpp" 7#include "multipart_parser.hpp" 8#include "pam_authenticate.hpp" --- 182 unchanged lines hidden (view full) --- 191 // code. 192 // TODO(ed).... Fix that upstream 193 194 asyncResp->res.jsonValue["data"] = 195 "User '" + std::string(username) + "' logged in"; 196 asyncResp->res.jsonValue["message"] = "200 OK"; 197 asyncResp->res.jsonValue["status"] = "ok"; 198 |
| 199 // Hack alert. Boost beast by default doesn't let you 200 // declare multiple headers of the same name, and in 201 // most cases this is fine. Unfortunately here we need 202 // to set the Session cookie, which requires the 203 // httpOnly attribute, as well as the XSRF cookie, which 204 // requires it to not have an httpOnly attribute. To get 205 // the behavior we want, we simply inject the second 206 // "set-cookie" string into the value header, and get 207 // the result we want, even though we are technicaly 208 // declaring two headers here. | |
| 209 asyncResp->res.addHeader( | 199 asyncResp->res.addHeader( |
| 210 "Set-Cookie", | 200 boost::beast::http::field::set_cookie, |
| 211 "XSRF-TOKEN=" + session->csrfToken + | 201 "XSRF-TOKEN=" + session->csrfToken + |
| 212 "; SameSite=Strict; Secure\r\nSet-Cookie: " 213 "SESSION=" + 214 session->sessionToken + | 202 "; SameSite=Strict; Secure"); 203 asyncResp->res.addHeader( 204 boost::beast::http::field::set_cookie, 205 "SESSION=" + session->sessionToken + |
| 215 "; SameSite=Strict; Secure; HttpOnly"); 216 } 217 else 218 { 219 // if content type is json, assume json token 220 asyncResp->res.jsonValue["token"] = session->sessionToken; 221 } 222 } --- 31 unchanged lines hidden --- | 206 "; SameSite=Strict; Secure; HttpOnly"); 207 } 208 else 209 { 210 // if content type is json, assume json token 211 asyncResp->res.jsonValue["token"] = session->sessionToken; 212 } 213 } --- 31 unchanged lines hidden --- |