fix: Discord OAuth CSRF cookie SameSite=None for cross-site callback

- Changed __DiscordOAuthState cookie from SameSite=Strict to SameSite=None
  because Discord redirects from discord.com (cross-site) and Strict
  prevents the cookie from being sent on the callback request.
- Added logging for CSRF validation failure to aid future diagnostics.

Bump version → 2.8.1

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

.gitea/workflows/deploy.yml

@@ -6,7 +6,7 @@ on:
       - main 
 
 env:
-  VERSION: 2.8.0
+  VERSION: 2.8.1
 
 jobs:
   # ЧАСТЬ 1: Собираем образы и кладем в Gitea (чтобы делиться с ребятами)

Directory.Build.props

@@ -1,6 +1,6 @@
 <Project>
   <PropertyGroup>
-    <Version>2.8.0</Version>
+    <Version>2.8.1</Version>
     <TargetFramework>net10.0</TargetFramework>
     <LangVersion>preview</LangVersion>
     <Nullable>enable</Nullable>

compose.yaml

@@ -49,7 +49,7 @@ services:
         crond -f
 
   bot:
-    image: git.codeanddice.ru/toutsu/gmrelay-bot:2.8.0
+    image: git.codeanddice.ru/toutsu/gmrelay-bot:2.8.1
     restart: always
     depends_on:
       db:
@@ -67,7 +67,7 @@ services:
       retries: 3
 
   discord:
-    image: git.codeanddice.ru/toutsu/gmrelay-discord-bot:2.8.0
+    image: git.codeanddice.ru/toutsu/gmrelay-discord-bot:2.8.1
     restart: always
     depends_on:
       db:
@@ -84,7 +84,7 @@ services:
       retries: 3
 
   web:
-    image: git.codeanddice.ru/toutsu/gmrelay-web:2.8.0
+    image: git.codeanddice.ru/toutsu/gmrelay-web:2.8.1
     restart: always
     depends_on:
       db:

src/GmRelay.Web/Components/Layout/NavMenu.razor

@@ -66,7 +66,7 @@
                     </button>
                 </form>
 
-                <div class="nav-version">v2.8.0</div>
+                <div class="nav-version">v2.8.1</div>
             </div>
         </Authorized>
         <NotAuthorized>

src/GmRelay.Web/Program.cs

@@ -192,7 +192,7 @@ app.MapGet("/auth/discord", (HttpContext context, DiscordAuthService discordAuth
     {
         HttpOnly = true,
         Secure = true,
-        SameSite = SameSiteMode.Strict,
+        SameSite = SameSiteMode.None,
         MaxAge = TimeSpan.FromMinutes(5)
     });
     var url = discordAuth.BuildAuthorizeUrl(state);
@@ -202,7 +202,8 @@ app.MapGet("/auth/discord", (HttpContext context, DiscordAuthService discordAuth
 app.MapGet("/auth/discord/callback", async (
     HttpContext context,
     DiscordAuthService discordAuth,
-    ISessionStore sessionStore) =>
+    ISessionStore sessionStore,
+    ILogger<Program> logger) =>
 {
     var code = context.Request.Query["code"].ToString();
     var state = context.Request.Query["state"].ToString();
@@ -216,6 +217,8 @@ app.MapGet("/auth/discord/callback", async (
             System.Text.Encoding.UTF8.GetBytes(state),
             System.Text.Encoding.UTF8.GetBytes(storedState ?? string.Empty)))
     {
+        logger.LogWarning("Discord OAuth CSRF validation failed. code_present={CodePresent}, state_present={StatePresent}, stored_state_present={StoredStatePresent}",
+            !string.IsNullOrWhiteSpace(code), !string.IsNullOrWhiteSpace(state), !string.IsNullOrWhiteSpace(storedState));
         return Results.Redirect("/login?error=auth_failed");
     }
 

src/GmRelay.Web/Services/DiscordAuthService.cs

@@ -5,7 +5,7 @@ using System.Text.Json.Serialization;
 
 namespace GmRelay.Web.Services;
 
-public sealed class DiscordAuthService(IHttpClientFactory httpClientFactory, IConfiguration configuration)
+public sealed class DiscordAuthService(IHttpClientFactory httpClientFactory, IConfiguration configuration, ILogger<DiscordAuthService> logger)
 {
     private readonly DiscordOAuthOptions _options = configuration.GetSection("Discord").Get<DiscordOAuthOptions>() ?? new DiscordOAuthOptions();
 
@@ -40,10 +40,14 @@ public sealed class DiscordAuthService(IHttpClientFactory httpClientFactory, ICo
         });
 
         var response = await client.PostAsync("https://discord.com/api/oauth2/token", content);
-        if (!response.IsSuccessStatusCode)
-            return null;
-
         var json = await response.Content.ReadAsStringAsync();
+        if (!response.IsSuccessStatusCode)
+        {
+            logger.LogError("Discord token exchange failed: {StatusCode} {Body}. client_id={ClientId}, redirect_uri={RedirectUri}",
+                (int)response.StatusCode, json, _options.ClientId, _options.RedirectUri);
+            return null;
+        }
+
         return JsonSerializer.Deserialize<DiscordTokenResponse>(json);
     }
 

tests/GmRelay.Bot.Tests/Discord/DiscordProjectStructureTests.cs

@@ -61,7 +61,7 @@ public sealed class DiscordProjectStructureTests
         var prChecks = File.ReadAllText(Path.Combine(repoRoot, ".gitea", "workflows", "pr-checks.yml"));
         var deploy = File.ReadAllText(Path.Combine(repoRoot, ".gitea", "workflows", "deploy.yml"));
 
-        Assert.Contains("gmrelay-discord-bot:2.8.0", compose);
+        Assert.Contains("gmrelay-discord-bot:2.8.1", compose);
         Assert.Contains("Discord__Token=${DISCORD_BOT_TOKEN:?Set DISCORD_BOT_TOKEN in .env}", compose);
         Assert.Contains("src/GmRelay.DiscordBot/Dockerfile", deploy);
         Assert.Contains("DISCORD_BOT_TOKEN", deploy);
@@ -75,13 +75,13 @@ public sealed class DiscordProjectStructureTests
     {
         var repoRoot = GetRepoRoot();
 
-        Assert.Contains("<Version>2.8.0</Version>", File.ReadAllText(Path.Combine(repoRoot, "Directory.Build.props")));
+        Assert.Contains("<Version>2.8.1</Version>", File.ReadAllText(Path.Combine(repoRoot, "Directory.Build.props")));
-        Assert.Contains("VERSION: 2.8.0", File.ReadAllText(Path.Combine(repoRoot, ".gitea", "workflows", "deploy.yml")));
+        Assert.Contains("VERSION: 2.8.1", File.ReadAllText(Path.Combine(repoRoot, ".gitea", "workflows", "deploy.yml")));
-        Assert.Contains("gmrelay-bot:2.8.0", File.ReadAllText(Path.Combine(repoRoot, "compose.yaml")));
+        Assert.Contains("gmrelay-bot:2.8.1", File.ReadAllText(Path.Combine(repoRoot, "compose.yaml")));
-        Assert.Contains("gmrelay-web:2.8.0", File.ReadAllText(Path.Combine(repoRoot, "compose.yaml")));
+        Assert.Contains("gmrelay-web:2.8.1", File.ReadAllText(Path.Combine(repoRoot, "compose.yaml")));
-        Assert.Contains("gmrelay-discord-bot:2.8.0", File.ReadAllText(Path.Combine(repoRoot, "compose.yaml")));
+        Assert.Contains("gmrelay-discord-bot:2.8.1", File.ReadAllText(Path.Combine(repoRoot, "compose.yaml")));
         Assert.Contains(
-            "v2.8.0",
+            "v2.8.1",
             File.ReadAllText(Path.Combine(repoRoot, "src", "GmRelay.Web", "Components", "Layout", "NavMenu.razor")));
     }
 

tests/GmRelay.Bot.Tests/Web/DiscordAuthServiceTests.cs

@@ -3,6 +3,7 @@ using System.Text.Json;
 using GmRelay.Web;
 using GmRelay.Web.Services;
 using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.Logging.Abstractions;
 
 namespace GmRelay.Bot.Tests.Web;
 
@@ -20,7 +21,7 @@ public class DiscordAuthServiceTests
             })
             .Build();
 
-        var service = new DiscordAuthService(new TestHttpClientFactory(), config);
+        var service = new DiscordAuthService(new TestHttpClientFactory(), config, NullLogger<DiscordAuthService>.Instance);
         var url = service.BuildAuthorizeUrl("state123");
 
         Assert.Contains("client_id=12345", url);
@@ -33,7 +34,7 @@ public class DiscordAuthServiceTests
     public void BuildAuthorizeUrl_WithMissingConfig_ThrowsInvalidOperationException()
     {
         var config = new ConfigurationBuilder().Build();
-        var service = new DiscordAuthService(new TestHttpClientFactory(), config);
+        var service = new DiscordAuthService(new TestHttpClientFactory(), config, NullLogger<DiscordAuthService>.Instance);
 
         Assert.Throws<InvalidOperationException>(() => service.BuildAuthorizeUrl("state"));
     }
@@ -74,7 +75,7 @@ public class DiscordAuthServiceTests
             .Build();
 
         var factory = new TestHttpClientFactory(handler);
-        var service = new DiscordAuthService(factory, config);
+        var service = new DiscordAuthService(factory, config, NullLogger<DiscordAuthService>.Instance);
 
         var result = await service.ExchangeCodeAsync("valid_code");
 
@@ -102,7 +103,7 @@ public class DiscordAuthServiceTests
             .Build();
 
         var factory = new TestHttpClientFactory(handler);
-        var service = new DiscordAuthService(factory, config);
+        var service = new DiscordAuthService(factory, config, NullLogger<DiscordAuthService>.Instance);
 
         var result = await service.ExchangeCodeAsync("invalid_code");