Fix auth cookie always using the default `web_port` option. (#7827)

* fix auth cookie always using the default `web_port`

* update changelog

* add test

* switch to webauth method

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1dbd60ea9031f75b589196e176843963ed22ef26..8155d65a9192708651a3dd83acc57e25e31ef418 100644 (file)
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,8 @@
 
 ## Unreleased: mitmproxy next
 
+- Fix mitmweb auth cookie always using the default `web_port` option.
+  ([#7827](https://github.com/mitmproxy/mitmproxy/pull/7827), @sujaldev)
 - fix: missing content-length header in curl export
   ([#7810](https://github.com/mitmproxy/mitmproxy/pull/7810), @mheguy)
 - fix: update log message with correct header name

diff --git a/mitmproxy/tools/web/app.py b/mitmproxy/tools/web/app.py
index e04b9281e5db6cd5c608f2e3afaa4efdffac1855..532df8cbc4106f878e4ae966b700a8c1150bf5b8 100644 (file)
--- a/mitmproxy/tools/web/app.py
+++ b/mitmproxy/tools/web/app.py
@@ -254,7 +254,7 @@ class AuthRequestHandler(tornado.web.RequestHandler):
                     self.auth_fail(bool(password))
                     return None
                 self.set_signed_cookie(
-                    self.settings["auth_cookie_name"],
+                    self.settings["auth_cookie_name"](),
                     self.AUTH_COOKIE_VALUE,
                     expires_days=400,
                     httponly=True,
@@ -266,7 +266,7 @@ class AuthRequestHandler(tornado.web.RequestHandler):
 
     def get_current_user(self) -> bool:
         return (
-            self.get_signed_cookie(self.settings["auth_cookie_name"], min_version=2)
+            self.get_signed_cookie(self.settings["auth_cookie_name"](), min_version=2)
             == self.AUTH_COOKIE_VALUE
         )
 
@@ -924,5 +924,5 @@ class Application(tornado.web.Application):
             autoreload=False,
             transforms=[GZipContentAndFlowFiles],
             is_valid_password=auth_addon.is_valid_password,
-            auth_cookie_name=f"mitmproxy-auth-{master.options.web_port}",
+            auth_cookie_name=auth_addon.auth_cookie_name,
         )

diff --git a/mitmproxy/tools/web/webaddons.py b/mitmproxy/tools/web/webaddons.py
index 2d1e382dcf6559070f9493541304b41b6c8a4ea1..d85ff2f4566984809a1d984d27de1439af9be00a 100644 (file)
--- a/mitmproxy/tools/web/webaddons.py
+++ b/mitmproxy/tools/web/webaddons.py
@@ -65,6 +65,10 @@ class WebAuth:
         # noinspection HttpUrlsUsage
         return f"http://{ctx.options.web_host}:{ctx.options.web_port}/{auth}"
 
+    @staticmethod
+    def auth_cookie_name() -> str:
+        return f"mitmproxy-auth-{ctx.options.web_port}"
+
     def is_valid_password(self, password: str) -> bool:
         if self._password.startswith("$"):
             try:

diff --git a/test/mitmproxy/tools/web/test_app.py b/test/mitmproxy/tools/web/test_app.py
index 323c313cfc5ddd84d0e2bc6a48d6f746a6cc39a4..01a47952cc79c014151eca02a3956a0ed61fb00b 100644 (file)
--- a/test/mitmproxy/tools/web/test_app.py
+++ b/test/mitmproxy/tools/web/test_app.py
@@ -83,10 +83,10 @@ class TestApp(tornado.testing.AsyncHTTPTestCase):
     def auth_cookie(self) -> str:
         auth_cookie = create_signed_value(
             secret=self._app.settings["cookie_secret"],
-            name=self._app.settings["auth_cookie_name"],
+            name=self._app.settings["auth_cookie_name"](),
             value=app.AuthRequestHandler.AUTH_COOKIE_VALUE,
         ).decode()
-        return f"{self._app.settings['auth_cookie_name']}={auth_cookie}"
+        return f"{self._app.settings['auth_cookie_name']()}={auth_cookie}"
 
     def fetch(self, *args, **kwargs) -> httpclient.HTTPResponse:
         kwargs.setdefault("headers", {}).setdefault("Cookie", self.auth_cookie)
@@ -615,3 +615,15 @@ class TestApp(tornado.testing.AsyncHTTPTestCase):
             assert e.code == 403
         else:
             assert False
+
+    def test_auth_cookie_port_suffix_modification(self):
+        opts = self.master.options
+
+        old_port = opts.web_port
+        new_port = 8082
+        opts.web_port = new_port
+
+        try:
+            assert self._app.settings["auth_cookie_name"]().endswith(str(new_port))
+        finally:
+            opts.web_port = old_port