Skip to content

Rework OpenID service cookie handling#521

Merged
jonasbardino merged 4 commits intonextfrom
adjust/openid-service-cookie-value-escaping
Apr 21, 2026
Merged

Rework OpenID service cookie handling#521
jonasbardino merged 4 commits intonextfrom
adjust/openid-service-cookie-value-escaping

Conversation

@jonasbardino
Copy link
Copy Markdown
Contributor

@jonasbardino jonasbardino commented Apr 17, 2026
edited
Loading

Rework OpenID service cookie handling to address a couple of potential issues highlighted by code scans. Namely, encode and decode cookie values to base64.

We need to consider issues like these until we complete an OpenID Connect replacement.

@jonasbardino
Rework openid service cookie handling to address a couple of potentia…
3884f63 
…l issues

hightligthed by code scans. Namely, encode and decode cookie values to base64.
@jonasbardino jonasbardino added the enhancement New feature or request label Apr 17, 2026
@jonasbardino jonasbardino self-assigned this Apr 17, 2026
@jonasbardino jonasbardino added this to the OpenID Connect Support milestone Apr 17, 2026
github-advanced-security[bot]
github-advanced-security AI found potential problems Apr 17, 2026
View reviewed changes
Comment thread mig/server/grid_openid.py Fixed
Comment thread mig/server/grid_openid.py Fixed
@jonasbardino jonasbardino changed the title Rework openid service cookie handling Rework OpenID service cookie handling Apr 17, 2026
@jonasbardino
Avoid manual cookie mangling and rely on SimpleCookie instead. Add extra
0b5fa0c 
protection against cookie or header splitting issues even though input
validation should already prevent it.
@jonasbardino
Copy link
Copy Markdown
Contributor Author

jonasbardino commented Apr 17, 2026

The lint issue is old and a duplicate of the one from #338 .

@jonasbardino jonasbardino marked this pull request as ready for review April 17, 2026 15:43
@jonasbardino
Copy link
Copy Markdown
Contributor Author

jonasbardino commented Apr 17, 2026

Tested to be functional on one of our dev/test deployments.

@jonasbardino jonasbardino requested a review from a team April 17, 2026 15:43
@jonasbardino jonasbardino added stale check errors Linting/CI errors are stale old issues not caused by this PR and will be fixed elsewhere. battle-tested Code was tested to be fully functional in line with project code guidelines. labels Apr 18, 2026
Martin-Rehr
Martin-Rehr reviewed Apr 21, 2026
View reviewed changes
Comment thread mig/server/grid_openid.py Outdated
Martin-Rehr
Martin-Rehr approved these changes Apr 21, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@Martin-Rehr Martin-Rehr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved when typo is fixed

@jonasbardino
Fix typo that somehow made its way into PR but not test :-s
0250779 
Most likely from a stray 'i' to enter interactive mode in vim(diff).
@jonasbardino jonasbardino merged commit eb7793a into next Apr 21, 2026
9 of 11 checks passed
@jonasbardino jonasbardino deleted the adjust/openid-service-cookie-value-escaping branch April 21, 2026 12:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Martin-Rehr Martin-Rehr Martin-Rehr approved these changes

+1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@jonasbardino jonasbardino

Labels

battle-tested Code was tested to be fully functional in line with project code guidelines. enhancement New feature or request stale check errors Linting/CI errors are stale old issues not caused by this PR and will be fixed elsewhere.

Projects

None yet

Milestone

OpenID Connect Support

Development

Successfully merging this pull request may close these issues.

3 participants

@jonasbardino @Martin-Rehr @github-advanced-security