Scope session cookies by grid path

2026-03-08 22:59:59 -04:00
parent 54a7a3085b
commit 19b593b1aa
5 changed files with 33 additions and 14 deletions
--- a/server/tests/test_http_session_cookie.py
+++ b/server/tests/test_http_session_cookie.py
@@ -11,7 +11,6 @@ from app.server import (
    AUTH_SESSION_COOKIE_CLIENT_HEADER,
    AUTH_SESSION_COOKIE_CHECK_PATH,
    AUTH_SESSION_COOKIE_CLEAR_PATH,
-    AUTH_SESSION_COOKIE_NAME,
    AUTH_SESSION_COOKIE_SET_PATH,
    SignalingServer,
 )
@@ -47,7 +46,7 @@ async def test_session_cookie_set_endpoint_sets_httponly_cookie() -> None:
    assert response is not None
    assert response.status_code == 200
    set_cookie = response.headers.get("Set-Cookie", "")
-    assert f"{AUTH_SESSION_COOKIE_NAME}=" in set_cookie
+    assert f"{server.auth_session_cookie_name}=" in set_cookie
    assert "Path=/chgrid/" in set_cookie
    assert "HttpOnly" in set_cookie
    assert "SameSite=Lax" in set_cookie
@@ -66,7 +65,7 @@ async def test_session_cookie_clear_endpoint_expires_cookie() -> None:
    assert response is not None
    assert response.status_code == 200
    set_cookie = response.headers.get("Set-Cookie", "")
-    assert f"{AUTH_SESSION_COOKIE_NAME}=" in set_cookie
+    assert f"{server.auth_session_cookie_name}=" in set_cookie
    assert "Max-Age=0" in set_cookie
    assert "HttpOnly" in set_cookie

@@ -80,7 +79,7 @@ async def test_session_cookie_check_endpoint_accepts_valid_cookie() -> None:
        server.auth_session_cookie_check_path,
        headers={
            AUTH_SESSION_COOKIE_CLIENT_HEADER: "1",
-            "Cookie": f"{AUTH_SESSION_COOKIE_NAME}={session.token}",
+            "Cookie": f"{server.auth_session_cookie_name}={session.token}",
            "Origin": "https://example.com",
        },
    )
@@ -120,13 +119,21 @@ async def test_session_cookie_helpers_reject_wrong_origin() -> None:


 def test_session_token_from_websocket_cookie_reads_named_cookie() -> None:
-    server = SignalingServer("127.0.0.1", 8765, None, None)
+    server = SignalingServer("127.0.0.1", 8765, None, None, base_path="/chgrid/")
    websocket = SimpleNamespace(
        request=SimpleNamespace(
-            headers=Headers({"Cookie": f"foo=bar; {AUTH_SESSION_COOKIE_NAME}=abc123; hello=world"})
+            headers=Headers({"Cookie": f"foo=bar; {server.auth_session_cookie_name}=abc123; hello=world"})
        )
    )

    token = server._session_token_from_websocket_cookie(websocket)

    assert token == "abc123"
+
+
+def test_session_cookie_name_scopes_to_base_path() -> None:
+    root_server = SignalingServer("127.0.0.1", 8765, None, None, base_path="/")
+    nested_server = SignalingServer("127.0.0.1", 8765, None, None, base_path="/ttgrid/")
+
+    assert root_server.auth_session_cookie_name == "chgrid_session_token"
+    assert nested_server.auth_session_cookie_name == "chgrid_session_ttgrid"