profile
viewpoint
If you are wondering where the data of this site comes from, please visit https://api.github.com/users/azhi/events. GitMemory does not store any data, but only uses NGINX to cache data for a period of time. The idea behind GitMemory is simply to give users a better reading experience.

azhi/BSUIR_labs 1

Repo for university labs

azhi/absinthe 0

The GraphQL toolkit for Elixir

azhi/absinthe-metrics 0

Pluggable metrics for Absinthe based GraphQL backends

azhi/APNS 0

An Apple Push Notification Service gem

azhi/arc_ecto 0

An integration with Arc and Ecto.

azhi/asdf-ruby 0

Ruby plugin for asdf version manager

azhi/awesome 0

awesome window manager

azhi/awesome-wm-widgets 0

Widgets for Awesome Window Manager

pull request commentphoenixframework/phoenix

skip CSRF check in WS session load if cookie is secure

I'm working on a phoenix project that exposes JSON API (with a WS) for a separate frontend app, both hosted on same hostname.

As of now we are implementing our own JWT-token authorization for WS. We would want to simplify things for frontend - it can use the same cookie it is using for HTTP API authentication. For now the only option to do this is passing CSRF token in a separate HTTP API action, which defeats the purpose of it being a CSRF check anyway.

azhi

comment created time in 18 days

PR opened phoenixframework/phoenix

skip CSRF check in WS session load if cookie is secure

A follow-up to this elixir forum thread to start a discussion.

In this implementation, cookie is considered to be 'secure' if it was set using sameSite = Lax or Strict, httpOnly = true and secure = true.

We have no way to say for sure whether cookie was set with these opts

  • we are using data from {:session, session_opts} passed to connect_info option for socket transport.

Since phoenix encourages users to pass an exact copy of the arguments given to Plug.Session as session_opts, we can rely on this to get cookie options.

Note that this is not final implementation - need to change docs for Endpoint's socket, add entry to changelog, etc.

I will finish this if you are OK with general idea.

+103 -14

0 comment

2 changed files

pr created time in 18 days

push eventazhi/phoenix

azhi

commit sha fe940256454d35faf5381b5084f391d8fada7016

skip CSRF check in WS session load if cookie is secure cookie is considered to be 'secure' if it was set using `sameSite` = `Lax` or `Strict`, `httpOnly` = `true` and `secure` = `true` we have no way to say for sure whether cookie was set with these opts - we are using `{:session, session_opts}` passed to `connect_info` option for socket transport since phoenix encourages users to pass an exact copy of the arguments given to Plug.Session as session_opts, we can rely on this to get cookie options

view details

push time in 18 days

create barnchazhi/phoenix

branch : ws-csrf-check-changes

created branch time in 18 days

fork azhi/phoenix

Peace of mind from prototype to production

https://www.phoenixframework.org

fork in 18 days

push eventazhi/dotfiles

azhi

commit sha b67aca9ceaf9817ec9bcf718b0c2bbb79fb1c05a

use proper way to add asdf completions

view details

push time in 2 months

push eventazhi/dotfiles

azhi

commit sha e0bf14ef8e0503498146c3dcfa385b8ec3997d8d

update key bindings setup in zshrc remove zkbd, use terminfo/hardcoded keys

view details

push time in 2 months

issue commentrabbitmq/rabbitmq-server

rabbitmq-amqp1.0-client: publish hex package

Any plans on this moving forward? Hex package would be really appreciated.

Unfortunately mix doesn't support monorepoes well, currently you can't add a dependency on amqp10_client at all, which makes things worse.

Ive forked amqp1.0-client and amqp1.0-common into separate repoes and tried to make it work without the rest of monorepo, and it was working for a while. But now something broke in building process, and debugging unfamiliar make-based build system is quite troublesome :(.

patrickdet

comment created time in 2 months