force session for all users, even not logged in, to ensure they can save routing settings via api

2023-12-21 16:32:26 +01:00 · 2023-12-21 16:32:26 +01:00 · 511a40fb5a
commit 511a40fb5a
parent 348c176502
3 changed files with 5 additions and 6 deletions
--- a/src/c3nav/api/api.py
+++ b/src/c3nav/api/api.py
@ -55,9 +55,10 @@ class APIKeySchema(BaseSchema):
                     summary="get session-bound key")
 def session_key(request):
    """
-    Get an API key that is bound to the transmitted session cookie.
+    Get an API key that is bound to the transmitted session cookie, or a newly created session cookie if none is sent.

    Keep in mind that this API key will be invalid if the session gets signed out or similar.
    """
-    session_id = request.COOKIES.get(settings.SESSION_COOKIE_NAME, None)
-    return {"key": "anonymous" if session_id is None else f"session:{session_id}"}
+    if request.session.session_key is None:
+        request.session.create()
+    return {"key": f"session:{request.session.session_key}"}
--- a/src/c3nav/api/auth.py
+++ b/src/c3nav/api/auth.py
@ -70,8 +70,6 @@ class APIKeyAuth(APIKeyHeader):
        elif key.startswith("session:"):
            session = self.SessionStore(key.removeprefix("session:"))
            user = auth_get_user(FakeRequest(session=session))
-            if not user.is_authenticated:
-                raise APIKeyInvalid
            request.user = user
            return APIAuthDetails(
                key_type=APIKeyType.SESSION,
--- a/src/c3nav/static/c3nav/js/api.js
+++ b/src/c3nav/static/c3nav/js/api.js
@ -10,7 +10,7 @@

        authenticate() {
            return fetch(this.base+'auth/session/', {
-                credentials: 'include',
+                credentials: 'same-origin',
                method: 'GET',
            })
                .then(res => res.json())