When you log in to the main DOMjudge, allow to use the API with the s…

…ame user
DOMjudge · Jun 3, 2024 · 080932d · 080932d
1 parent e6c58ec
commit 080932d
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 2 deletions.
diff --git a/webapp/config/packages/security.yaml b/webapp/config/packages/security.yaml
@@ -33,8 +33,8 @@ security:
         # API does Basic Auth and IP address auth
         api:
             pattern: ^/api
+            context: domjudge
             provider: domjudge_db_provider
-            stateless: true
             user_checker: App\Security\UserChecker
             entry_point: App\Security\DOMJudgeIPAuthenticator
             # SEE NOTE ABOVE IF CHANGING ANYTHING HERE
@@ -45,6 +45,7 @@ security:
         # Provides prometheus metrics
         metrics:
             pattern: ^/prometheus/metrics
+            context: domjudge
             provider: domjudge_db_provider
             stateless: true
             user_checker: App\Security\UserChecker
@@ -57,6 +58,7 @@ security:
         # rest of app does form_login
         main:
             pattern: ^/
+            context: domjudge
             provider: domjudge_db_provider
             user_checker: App\Security\UserChecker
             entry_point: App\Security\DOMJudgeXHeadersAuthenticator

diff --git a/webapp/src/EventListener/NoSessionCookieForApiListener.php b/webapp/src/EventListener/NoSessionCookieForApiListener.php
@@ -0,0 +1,24 @@
+<?php declare(strict_types=1);
+
+namespace App\EventListener;
+
+use Symfony\Component\EventDispatcher\Attribute\AsEventListener;
+use Symfony\Component\HttpKernel\Event\ResponseEvent;
+
+// The AbstractSessionListener (which sets the cookie) has a priority of -1000, so we need to
+// set a priority of -1001 to run before it.
+#[AsEventListener(priority: -1001)]
+class NoSessionCookieForApiListener
+{
+    public function __invoke(ResponseEvent $event): void
+    {
+        // We do not want to set the session cookie for API requests. Since the firewall is
+        // stateful (because we want form logins to allow to access the API), we need to remove
+        // the cookie
+        $request = $event->getRequest();
+        $response = $event->getResponse();
+        if ($request->attributes->get('_firewall_context') === 'security.firewall.map.context.api') {
+            $response->headers->removeCookie($request->getSession()->getName());
+        }
+    }
+}
diff --git a/webapp/tests/Unit/BaseTestCase.php b/webapp/tests/Unit/BaseTestCase.php
@@ -141,7 +141,7 @@ protected function loginHelper(
      */
     protected function logIn(): void
     {
-        $this->client->loginUser($this->setupUser());
+        $this->client->loginUser($this->setupUser(), 'domjudge');
     }
 
     /**
-Original file line number
+Diff line change
@@ Expand Up / @@ -141,7 +141,7 @@ protected function loginHelper( @@
          */
         protected function logIn(): void
         {
-            $this->client->loginUser($this->setupUser());
+            $this->client->loginUser($this->setupUser(), 'domjudge');
         }
         /**
@@ Expand Down @@