Merge pull request #92: fix Discord OAuth CSRF cookie SameSite

compose.yaml

@@ -67,7 +67,7 @@ services:
       retries: 3
 
   discord:
-    image: git.codeanddice.ru/toutsu/gmrelay-discord-bot:2.8.0
+    image: git.codeanddice.ru/toutsu/gmrelay-discord-bot:2.8.1
     restart: always
     depends_on:
       db:
@@ -84,7 +84,7 @@ services:
       retries: 3
 
   web:
-    image: git.codeanddice.ru/toutsu/gmrelay-web:2.8.0
+    image: git.codeanddice.ru/toutsu/gmrelay-web:2.8.1
     restart: always
     depends_on:
       db:

src/GmRelay.Web/Program.cs

@@ -192,7 +192,7 @@ app.MapGet("/auth/discord", (HttpContext context, DiscordAuthService discordAuth
     {
         HttpOnly = true,
         Secure = true,
-        SameSite = SameSiteMode.Strict,
+        SameSite = SameSiteMode.None,
         MaxAge = TimeSpan.FromMinutes(5)
     });
     var url = discordAuth.BuildAuthorizeUrl(state);
@@ -202,7 +202,8 @@ app.MapGet("/auth/discord", (HttpContext context, DiscordAuthService discordAuth
 app.MapGet("/auth/discord/callback", async (
     HttpContext context,
     DiscordAuthService discordAuth,
-    ISessionStore sessionStore) =>
+    ISessionStore sessionStore,
+    ILogger<Program> logger) =>
 {
     var code = context.Request.Query["code"].ToString();
     var state = context.Request.Query["state"].ToString();
@@ -216,6 +217,8 @@ app.MapGet("/auth/discord/callback", async (
             System.Text.Encoding.UTF8.GetBytes(state),
             System.Text.Encoding.UTF8.GetBytes(storedState ?? string.Empty)))
     {
+        logger.LogWarning("Discord OAuth CSRF validation failed. code_present={CodePresent}, state_present={StatePresent}, stored_state_present={StoredStatePresent}",
+            !string.IsNullOrWhiteSpace(code), !string.IsNullOrWhiteSpace(state), !string.IsNullOrWhiteSpace(storedState));
         return Results.Redirect("/login?error=auth_failed");
     }
 

tests/GmRelay.Bot.Tests/Discord/DiscordProjectStructureTests.cs

@@ -61,7 +61,7 @@ public sealed class DiscordProjectStructureTests
         var prChecks = File.ReadAllText(Path.Combine(repoRoot, ".gitea", "workflows", "pr-checks.yml"));
         var deploy = File.ReadAllText(Path.Combine(repoRoot, ".gitea", "workflows", "deploy.yml"));
 
-        Assert.Contains("gmrelay-discord-bot:2.8.0", compose);
+        Assert.Contains("gmrelay-discord-bot:2.8.1", compose);
         Assert.Contains("Discord__Token=${DISCORD_BOT_TOKEN:?Set DISCORD_BOT_TOKEN in .env}", compose);
         Assert.Contains("src/GmRelay.DiscordBot/Dockerfile", deploy);
         Assert.Contains("DISCORD_BOT_TOKEN", deploy);
@@ -75,13 +75,13 @@ public sealed class DiscordProjectStructureTests
     {
         var repoRoot = GetRepoRoot();
 
-        Assert.Contains("<Version>2.8.0</Version>", File.ReadAllText(Path.Combine(repoRoot, "Directory.Build.props")));
-        Assert.Contains("VERSION: 2.8.0", File.ReadAllText(Path.Combine(repoRoot, ".gitea", "workflows", "deploy.yml")));
-        Assert.Contains("gmrelay-bot:2.8.0", File.ReadAllText(Path.Combine(repoRoot, "compose.yaml")));
-        Assert.Contains("gmrelay-web:2.8.0", File.ReadAllText(Path.Combine(repoRoot, "compose.yaml")));
-        Assert.Contains("gmrelay-discord-bot:2.8.0", File.ReadAllText(Path.Combine(repoRoot, "compose.yaml")));
+        Assert.Contains("<Version>2.8.1</Version>", File.ReadAllText(Path.Combine(repoRoot, "Directory.Build.props")));
+        Assert.Contains("VERSION: 2.8.1", File.ReadAllText(Path.Combine(repoRoot, ".gitea", "workflows", "deploy.yml")));
+        Assert.Contains("gmrelay-bot:2.8.1", File.ReadAllText(Path.Combine(repoRoot, "compose.yaml")));
+        Assert.Contains("gmrelay-web:2.8.1", File.ReadAllText(Path.Combine(repoRoot, "compose.yaml")));
+        Assert.Contains("gmrelay-discord-bot:2.8.1", File.ReadAllText(Path.Combine(repoRoot, "compose.yaml")));
         Assert.Contains(
-            "v2.8.0",
+            "v2.8.1",
             File.ReadAllText(Path.Combine(repoRoot, "src", "GmRelay.Web", "Components", "Layout", "NavMenu.razor")));
     }