From 54a796a7146a6b473ede36602e0cc3bb2db8eccd Mon Sep 17 00:00:00 2001 From: Ivan Cvitkovic Date: Wed, 24 Sep 2025 10:51:50 -0700 Subject: [PATCH 1/5] Allow session cookie attribute `partitioned` to be configured via env var --- confidential_backend/config.py | 1 + 1 file changed, 1 insertion(+) diff --git a/confidential_backend/config.py b/confidential_backend/config.py index 9afce3c8..b654b284 100644 --- a/confidential_backend/config.py +++ b/confidential_backend/config.py @@ -24,6 +24,7 @@ SESSION_COOKIE_DOMAIN = os.getenv("SESSION_COOKIE_DOMAIN") SESSION_COOKIE_SAMESITE = os.getenv("SESSION_COOKIE_SAMESITE", 'Lax') SESSION_COOKIE_SECURE = os.getenv("SESSION_COOKIE_SECURE", 'false').lower() == 'true' +SESSION_COOKIE_PARTITIONED = os.getenv("SESSION_COOKIE_PARTITIONED", 'false').lower() == 'true' REQUEST_CACHE_URL = os.environ.get('REQUEST_CACHE_URL', 'redis://localhost:6379/0') REQUEST_CACHE_EXPIRE = 24 * 60 * 60 # 24 hours From 6cd490181cf3bd8984e4233f878997afc33c37b4 Mon Sep 17 00:00:00 2001 From: Ivan Cvitkovic Date: Wed, 24 Sep 2025 14:14:39 -0700 Subject: [PATCH 2/5] Use forked flask-session for partitioned cookie fix --- setup.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup.cfg b/setup.cfg index 6766d2a0..2077855b 100644 --- a/setup.cfg +++ b/setup.cfg @@ -17,7 +17,7 @@ install_requires = cachelib==0.1.1 celery==5.5.3 flask-cors==4.0.1 - flask-session==0.8.0 + flask-session @ git+https://github.com/uwcirg/flask-session.git@feature/cookie-partitioned-attribute flask==3.1.2 gunicorn==20.1.0 python-jose[cryptography]==3.2.0 From 3ac3fd57971b2ba54603f9313ee892107e2e115c Mon Sep 17 00:00:00 2001 From: Ivan Cvitkovic Date: Wed, 24 Sep 2025 14:15:29 -0700 Subject: [PATCH 3/5] Regenerate lockfiles --- requirements.dev.txt | 2 +- requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements.dev.txt b/requirements.dev.txt index bbcc1308..8bb8ebb4 100644 --- a/requirements.dev.txt +++ b/requirements.dev.txt @@ -35,7 +35,7 @@ flask==3.1.2 # flask-session flask-cors==4.0.1 # via confidential_backend (setup.cfg) -flask-session==0.8.0 +flask-session @ git+https://github.com/uwcirg/flask-session.git@feature/cookie-partitioned-attribute # via confidential_backend (setup.cfg) gunicorn==20.1.0 # via confidential_backend (setup.cfg) diff --git a/requirements.txt b/requirements.txt index d84bfac5..552fd351 100644 --- a/requirements.txt +++ b/requirements.txt @@ -50,7 +50,7 @@ flask==3.1.2 # flask-session flask-cors==4.0.1 # via confidential_backend (setup.cfg) -flask-session==0.8.0 +flask-session @ git+https://github.com/uwcirg/flask-session.git@feature/cookie-partitioned-attribute # via confidential_backend (setup.cfg) gunicorn==20.1.0 # via confidential_backend (setup.cfg) From 8cd63899cbdaf814503b2bd3c23137fb712dbe96 Mon Sep 17 00:00:00 2001 From: Ivan Cvitkovic Date: Fri, 26 Sep 2025 11:27:59 -0700 Subject: [PATCH 4/5] WIP add debugging for 401 from Epic --- confidential_backend/auth/views.py | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/confidential_backend/auth/views.py b/confidential_backend/auth/views.py index 25ceaae1..dcc0d9da 100644 --- a/confidential_backend/auth/views.py +++ b/confidential_backend/auth/views.py @@ -231,7 +231,20 @@ def authorize(): # todo: define fetch_token function that requests JSON (Accept: application/json header) # https://github.com/lepture/authlib/blob/master/authlib/oauth2/client.py#L154 - token_response = oauth.sof.authorize_access_token(_format='json') + try: + token_response = oauth.sof.authorize_access_token(_format='json') + except requests.exceptions.HTTPError as http_err: + # Log request details + req = http_err.response.request + current_app.logger.debug("HTTPError occurred getting access token") + current_app.logger.debug(f"Request URL: {req.url}") + current_app.logger.debug(f"Request Method: {req.method}") + current_app.logger.debug(f"Request Headers: {req.headers}") + current_app.logger.debug(f"Request Body: {req.body}") + current_app.logger.debug(f"Response Body: {http_err.response.content}") + + raise http_err + extracted_id_token = extract_payload(token_response.get('id_token')) username = extracted_id_token.get('preferred_username') From cc1a6b7fe4a674a6c322bec2dd18b020f2b6289a Mon Sep 17 00:00:00 2001 From: Ivan Cvitkovic Date: Tue, 7 Oct 2025 13:40:52 -0700 Subject: [PATCH 5/5] Remove extra logging --- confidential_backend/auth/views.py | 4 ---- 1 file changed, 4 deletions(-) diff --git a/confidential_backend/auth/views.py b/confidential_backend/auth/views.py index dcc0d9da..7f31e1e1 100644 --- a/confidential_backend/auth/views.py +++ b/confidential_backend/auth/views.py @@ -237,10 +237,6 @@ def authorize(): # Log request details req = http_err.response.request current_app.logger.debug("HTTPError occurred getting access token") - current_app.logger.debug(f"Request URL: {req.url}") - current_app.logger.debug(f"Request Method: {req.method}") - current_app.logger.debug(f"Request Headers: {req.headers}") - current_app.logger.debug(f"Request Body: {req.body}") current_app.logger.debug(f"Response Body: {http_err.response.content}") raise http_err