Restrict cookie usage on api endpoints (#2151)

app/api/base.py

@@ -5,6 +5,7 @@ import arrow
 from flask import Blueprint, request, jsonify, g
 from flask_login import current_user
 
+from app import constants
 from app.db import Session
 from app.models import ApiKey
 
@@ -18,7 +19,9 @@ def authorize_request() -> Optional[Tuple[str, int]]:
     api_key = ApiKey.get_by(code=api_code)
 
     if not api_key:
-        if current_user.is_authenticated:
+        if current_user.is_authenticated and request.headers.get(
+            constants.HEADER_ALLOW_API_COOKIES
+        ):
             g.user = current_user
         else:
             return jsonify(error="Wrong api key"), 401

app/constants.py

@@ -0,0 +1 @@
+HEADER_ALLOW_API_COOKIES = "X-Sl-Allowcookies"

server.py

@@ -29,7 +29,7 @@ from sentry_sdk.integrations.flask import FlaskIntegration
 from sentry_sdk.integrations.sqlalchemy import SqlalchemyIntegration
 from werkzeug.middleware.proxy_fix import ProxyFix
 
-from app import paddle_utils, config, paddle_callback
+from app import paddle_utils, config, paddle_callback, constants
 from app.admin_model import (
     SLAdminIndexView,
     UserAdmin,
@@ -430,6 +430,7 @@ def jinja2_filter(app):
             PAGE_LIMIT=PAGE_LIMIT,
             ZENDESK_ENABLED=ZENDESK_ENABLED,
             MAX_NB_EMAIL_FREE_PLAN=MAX_NB_EMAIL_FREE_PLAN,
+            HEADER_ALLOW_API_COOKIES=constants.HEADER_ALLOW_API_COOKIES,
         )
 
 

templates/dashboard/alias_contact_manager.html

@@ -264,6 +264,7 @@
           method: "POST",
           headers: {
             "Content-Type": "application/json",
+              '{{HEADER_ALLOW_API_COOKIES}}': 'allow'
           }
         });
 

templates/dashboard/support.html

@@ -80,7 +80,10 @@
       },
       methods: {
         generateRandomAlias: async function (event) {
-          let result = await fetch('/api/alias/random/new', {method: 'POST'});
+          let result = await fetch('/api/alias/random/new', {method: 'POST',
+              headers: {
+              '{{HEADER_ALLOW_API_COOKIES}}': 'allow'
+          }});
           if (result.ok) {
             let data = await result.json();
             this.ticket_email = data.alias;

templates/footer.html

@@ -216,6 +216,7 @@
           method: "POST",
           headers: {
             "Content-Type": "application/json",
+              '{{HEADER_ALLOW_API_COOKIES}}': 'allow'
           }
         });
 
@@ -232,6 +233,7 @@
           method: "GET",
           headers: {
             "Content-Type": "application/json",
+              '{{HEADER_ALLOW_API_COOKIES}}': 'allow'
           }
         });
         if (res.ok) {
@@ -249,6 +251,7 @@
         method: "GET",
         headers: {
           "Content-Type": "application/json",
+            '{{HEADER_ALLOW_API_COOKIES}}': 'allow'
         }
       });
       if (res.ok) {

templates/phone/phone_reservation.html

@@ -87,6 +87,7 @@
             method: "GET",
             headers: {
               "Content-Type": "application/json",
+                '{{HEADER_ALLOW_API_COOKIES}}': 'allow'
             }
           });
           if (res.ok) {