Fix session resume and auth helper fallbacks

2026-03-08 23:12:02 -04:00
parent b229e20ae2
commit d111146554
5 changed files with 54 additions and 4 deletions
--- a/server/app/server.py
+++ b/server/app/server.py
@@ -22,6 +22,7 @@ import uuid
 from pathlib import Path
 from typing import Literal
 from urllib.error import URLError
+from urllib.parse import urlsplit, urlunsplit
 from zoneinfo import ZoneInfo

 from pydantic import ValidationError, TypeAdapter
@@ -330,13 +331,26 @@ class SignalingServer:
        if not self.host_origin:
            return False
        raw_origin = str(request.headers.get("Origin", "")).strip()
-        if not raw_origin:
+        if raw_origin:
+            try:
+                origin = normalize_origin(raw_origin)
+            except ValueError:
+                return False
+            return origin == self.host_origin
+
+        fetch_site = str(request.headers.get("Sec-Fetch-Site", "")).strip().lower()
+        if fetch_site == "same-origin":
+            return True
+
+        raw_referer = str(request.headers.get("Referer", "")).strip()
+        if not raw_referer:
            return False
        try:
-            origin = normalize_origin(raw_origin)
+            parts = urlsplit(raw_referer)
+            referer_origin = urlunsplit((parts.scheme, parts.netloc, "", "", ""))
+            return normalize_origin(referer_origin, field_name="referer") == self.host_origin
        except ValueError:
            return False
-        return origin == self.host_origin

    @staticmethod
    def _cookie_value(cookie_header: str, name: str) -> str:
--- a/server/tests/test_http_session_cookie.py
+++ b/server/tests/test_http_session_cookie.py
@@ -118,6 +118,23 @@ async def test_session_cookie_helpers_reject_wrong_origin() -> None:
    assert response.status_code == 403


+@pytest.mark.asyncio
+async def test_session_cookie_helpers_accept_same_origin_referer_without_origin() -> None:
+    server = _server()
+    request = _request(
+        server.auth_session_cookie_clear_path,
+        headers={
+            AUTH_SESSION_COOKIE_CLIENT_HEADER: "1",
+            "Referer": "https://example.com/chgrid/",
+        },
+    )
+
+    response = await server._process_http_request(SimpleNamespace(), request)
+
+    assert response is not None
+    assert response.status_code == 200
+
+
 def test_session_token_from_websocket_cookie_reads_named_cookie() -> None:
    server = SignalingServer("127.0.0.1", 8765, None, None, base_path="/chgrid/")
    websocket = SimpleNamespace(