[*] Security - Fix implementation of session token passed in headers while downloading collections records

Author: arnaudbesnier

CHANGELOG.md

@@ -1,6 +1,8 @@
 # Change Log
 
 ## [Unreleased]
+### Fixed
+- Security - Fix implementation of session token passed in headers while downloading collections records.
 
 ## RELEASE 3.0.0-beta.15 - 2019-03-27
 ### Changed

app/controllers/forest_liana/application_controller.rb

@@ -3,7 +3,7 @@
 
 module ForestLiana
   class ApplicationController < ForestLiana::BaseController
-    REGEX_COOKIE_SESSION_TOKEN = /sessionToken=(.*);?/;
+    REGEX_COOKIE_SESSION_TOKEN = /forest_session_token=([^;]*)/;
 
     def self.papertrail?
       Object.const_get('PaperTrail::Version').is_a?(Class) rescue false

app/controllers/forest_liana/sessions_controller.rb

@@ -82,6 +82,10 @@ def process_login(
 
         render(serializer: nil, json: nil, status: :internal_server_error)
       else
+        # NOTICE: Set a cookie to ensure secure authentication using export feature.
+        # NOTICE: The token is empty at first authentication step if the 2FA option is active.
+        response.set_cookie("forest_session_token", reponse_data[:token]) if reponse_data[:token]
+
         render(json: reponse_data, serializer: nil)
       end
     end

lib/forest_liana/engine.rb

@@ -23,7 +23,7 @@ def configure_forest_cors
             hostnames += ENV['CORS_ORIGINS'].split(',') if ENV['CORS_ORIGINS']
 
             origins hostnames
-            resource '*', headers: :any, methods: :any, max_age: 86400 # NOTICE: 1 day
+            resource '*', headers: :any, methods: :any, credentials: true, max_age: 86400 # NOTICE: 1 day
           end
         end
         nil