dev -> master #97
dev -> master #97
Conversation
ARXIVCE-190: eust can become a moderator for testing arxiv-check
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| # accounts/accounts/controllers/authentication.py:190 | ||
| def unset_masquerade_cookie(response: Response) -> None: | ||
| cookie_name = current_app.config[f'MASQUERADE_COOKIE_NAME'] | ||
| response.set_cookie(key=cookie_name, value='', max_age=0, httponly=True) |
Check warning
Code scanning / CodeQL
Failure to use secure cookies Medium
| set_cookies(response, data) | ||
| unset_submission_cookie(response) | ||
| unset_permanent_cookie(response) | ||
| response.set_cookie(key=tracking_cookie_name, value='', max_age=0, httponly=True) |
Check warning
Code scanning / CodeQL
Failure to use secure cookies Medium
| @@ -14,7 +14,12 @@ python-dateutil = "*" | |||
| pyjwt = "*" | |||
| redis = "==2.10.6" | |||
| redis-py-cluster = "==1.3.6" | |||
| pydantic = "*" | |||
| pydantic = "^1.0" | |||
There was a problem hiding this comment.
Can we switch to pydantic 2 in new code, if somehow possible?
There was a problem hiding this comment.
Sure!
This is an update to the currently running code, which we don't want to spend time updating.
We expect it to be replaced by keycloak
There was a problem hiding this comment.
I'd skip upgrading to pydantic v2 to avoid extra work. This code is end of life.
| if DEBUG: | ||
| print("BU-DEBUG: become_jwt", become_jwt) | ||
|
|
||
| next_page = "https://check.dev.arxiv.org/" |
There was a problem hiding this comment.
next_page is not pulled from a query parameter. This may or may not be the intent.
In other places next_page works by being a query parameter. It needs to be check that the hostname is an arxiv domain.
|
@bdc34 @ntai-arxiv , the "production" branch is running at cit, so I replayed these commits onto a fork of that branch. I don't expect this PR to be needed, as my guess is something different will be implemented along with the keycloak upgrade. I'll merge this for reference/consistency between the master and production branches, but this code isn't the running code at arxiv.org/become_user The deployed PR: |
This can be tested on dev, notes here:
https://arxiv-org.atlassian.net/wiki/spaces/AD/pages/1185742849/arXivCheck+Become+User
Depends on:
https://github.com/arXiv/arxiv-httpd/pull/78
And a fastly route, to cit for:
/become_user