From 60b12fca5244f29df29ed3363b585903a5f67716 Mon Sep 17 00:00:00 2001
From: dandds <dan-ctr@friends.dds.mil>
Date: Mon, 6 Jan 2020 14:07:53 -0500
Subject: [PATCH] Config to specify session cookie domain.

This got lost somewhere along the way (almost certainly by me), so this
commit tries to make it explicit. The app needs to be able to configure
the session cookie domain name so that it is valid for both the main
site domain and the authentication subdomain. For instance, if the site
is runnning at uat.atat.code.mil and authentication happens at
auth-uat.atat.code.mil, SESSION_COOKIE_DOMAIN should be set to
atat.code.mil so that it's valid for both.

This adds the setting to the base INI file and a default for our K8s
clusters.
---
 README.md                               | 1 +
 config/base.ini                         | 1 +
 deploy/azure/atst-envvars-configmap.yml | 1 +
 3 files changed, 3 insertions(+)

diff --git a/README.md b/README.md
index 9c31fc19..5fdbf6d3 100644
--- a/README.md
+++ b/README.md
@@ -254,6 +254,7 @@ To generate coverage reports for the Javascript tests:
 - `SECRET_KEY`: String key which will be used to sign the session cookie. Should be a long string of random bytes. https://flask.palletsprojects.com/en/1.1.x/config/#SECRET_KEY
 - `SERVER_NAME`: Hostname for ATAT. Only needs to be specified in contexts where the hostname cannot be inferred from the request, such as Celery workers. https://flask.palletsprojects.com/en/1.1.x/config/#SERVER_NAME
 - `SESSION_COOKIE_NAME`: String value specifying the name to use for the session cookie. https://flask.palletsprojects.com/en/1.1.x/config/#SESSION_COOKIE_NAME
+- `SESSION_COOKIE_DOMAIN`: String value specifying the name to use for the session cookie. This should be set to the root domain so that it is valid for both the main site and the authentication subdomain. https://flask.palletsprojects.com/en/1.1.x/config/#SESSION_COOKIE_DOMAIN
 - `SESSION_TYPE`: String value specifying the cookie storage backend. https://pythonhosted.org/Flask-Session/
 - `SESSION_USE_SIGNER`: Boolean value specifying if the cookie sid should be signed.
 - `SQLALCHEMY_ECHO`: Boolean value specifying if SQLAlchemy should log queries to stdout.
diff --git a/config/base.ini b/config/base.ini
index 0feba51f..9233ef21 100644
--- a/config/base.ini
+++ b/config/base.ini
@@ -40,6 +40,7 @@ REDIS_USER
 SECRET_KEY = change_me_into_something_secret
 SERVER_NAME
 SESSION_COOKIE_NAME=atat
+SESSION_COOKIE_DOMAIN
 SESSION_TYPE = redis
 SESSION_USE_SIGNER = True
 SQLALCHEMY_ECHO = False
diff --git a/deploy/azure/atst-envvars-configmap.yml b/deploy/azure/atst-envvars-configmap.yml
index d2b0ba45..6f412a3d 100644
--- a/deploy/azure/atst-envvars-configmap.yml
+++ b/deploy/azure/atst-envvars-configmap.yml
@@ -30,6 +30,7 @@ data:
   PGUSER: atat_master@atat-db
   REDIS_HOST: atat.redis.cache.windows.net:6380
   REDIS_TLS: "true"
+  SESSION_COOKIE_DOMAIN: atat.code.mil
   STATIC_URL: https://atat-cdn.azureedge.net/static/
   TZ: UTC
   UWSGI_CONFIG_FULLPATH: /opt/atat/atst/uwsgi.ini