Fix cookie not accepted in safari

2026-03-17 16:57:51 -03:00
parent 72088dba9a
commit d6d0735ff8
6 changed files with 218 additions and 46 deletions
--- a/backend/app/api/auth.py
+++ b/backend/app/api/auth.py
@@ -107,12 +107,16 @@ def get_request_auth_context(

    token = credentials.credentials.strip() if credentials is not None and credentials.credentials else ""
    using_cookie_session = False
+    session_candidates: list[str] = []

    if not token:
-        token = (session_cookie or "").strip()
        using_cookie_session = True
-    if not token:
-        _raise_unauthorized()
+        session_candidates = [candidate for candidate in _extract_cookie_values(request, SESSION_COOKIE_NAME) if candidate]
+        normalized_session_cookie = (session_cookie or "").strip()
+        if normalized_session_cookie and normalized_session_cookie not in session_candidates:
+            session_candidates.append(normalized_session_cookie)
+        if not session_candidates:
+            _raise_unauthorized()

    if _requires_csrf_validation(request.method) and using_cookie_session:
        normalized_csrf_header = (csrf_header or "").strip()
@@ -127,7 +131,15 @@ def get_request_auth_context(
        ):
            _raise_csrf_rejected()

-    resolved_session = resolve_auth_session(session, token=token)
+    resolved_session = None
+    if token:
+        resolved_session = resolve_auth_session(session, token=token)
+    else:
+        for candidate in session_candidates:
+            resolved_session = resolve_auth_session(session, token=candidate)
+            if resolved_session is not None and resolved_session.user is not None:
+                break
+
    if resolved_session is None or resolved_session.user is None:
        _raise_unauthorized()