Fix blocklist service injection and centralize session cookie name

2026-04-14 09:21:38 +02:00
parent 5a9d226cca
commit a564830abb
8 changed files with 62 additions and 38 deletions
--- a/backend/app/routers/auth.py
+++ b/backend/app/routers/auth.py
@@ -16,18 +16,17 @@ from app.dependencies import (
    AuthServiceDep,
    DbDep,
    SessionCacheDep,
-    SettingsDep,
    SessionRepoDep,
+    SettingsDep,
 )
 from app.models.auth import LoginRequest, LoginResponse, LogoutResponse
 from app.services.auth_service import sign_session_token
+from app.utils.constants import SESSION_COOKIE_NAME

 log: structlog.stdlib.BoundLogger = structlog.get_logger()

 router = APIRouter(prefix="/api/auth", tags=["auth"])

-_COOKIE_NAME = "bangui_session"
-

@router.post(
    "/login",
@@ -77,7 +76,7 @@ async def login(
        settings.session_secret,
    )
    response.set_cookie(
-        key=_COOKIE_NAME,
+        key=SESSION_COOKIE_NAME,
        value=signed_token,
        httponly=settings.session_cookie_httponly,
        samesite=settings.session_cookie_samesite,
@@ -127,7 +126,7 @@ async def logout(
        if raw_token:
            session_cache.invalidate(raw_token)
            session_cache.invalidate(token)
-    response.delete_cookie(key=_COOKIE_NAME)
+    response.delete_cookie(key=SESSION_COOKIE_NAME)
    return LogoutResponse()


@@ -145,7 +144,7 @@ def _extract_token(request: Request) -> str | None:
    Returns:
        The token string, or ``None`` if absent.
    """
-    token: str | None = request.cookies.get(_COOKIE_NAME)
+    token: str | None = request.cookies.get(SESSION_COOKIE_NAME)
    if token:
        return token
    auth_header: str = request.headers.get("Authorization", "")