BE: add SESSION_COOKIE_DOMAIN setting (#311)

admin/src/components/MFAuth/index.tsx

@@ -173,7 +173,7 @@ class MFAuth extends React.Component<Props, State> {
           <ol>
             <li>Save two-factor recovery codes</li>
             <li>
-              Setup up TOTP authentication device, typically a smartphone with Google
+              Setup TOTP authentication device, typically a smartphone with Google
               Authenticator, Authy, 1Password or other compatible authenticator app.
             </li>
           </ol>

backend/.env.example

@@ -7,6 +7,9 @@ REDISTOGO_URL="redis://localhost:6379"
 SECRET_KEY="not-so-secret"
 SENDGRID_API_KEY="optional, but emails won't send without it"
 
+# set this so third-party cookie blocking doesn't kill backend sessions (production)
+# SESSION_COOKIE_DOMAIN="zfnd.org"
+
 # SENTRY_DSN="https://PUBLICKEY@sentry.io/PROJECTID"
 # SENTRY_RELEASE="optional, provides sentry logging with release info"
 

backend/grant/settings.py

@@ -16,7 +16,7 @@ ENV = env.str("FLASK_ENV", default="production")
 DEBUG = ENV == "development"
 SITE_URL = env.str('SITE_URL', default='https://zfnd.org')
 SQLALCHEMY_DATABASE_URI = env.str("DATABASE_URL")
-SQLALCHEMY_ECHO = False # True will print queries to log
+SQLALCHEMY_ECHO = False  # True will print queries to log
 QUEUES = ["default"]
 SECRET_KEY = env.str("SECRET_KEY")
 BCRYPT_LOG_ROUNDS = env.int("BCRYPT_LOG_ROUNDS", default=13)
@@ -25,6 +25,9 @@ DEBUG_TB_INTERCEPT_REDIRECTS = False
 CACHE_TYPE = "simple"  # Can be "memcached", "redis", etc.
 SQLALCHEMY_TRACK_MODIFICATIONS = False
 
+# so backend session cookies are first-party
+SESSION_COOKIE_DOMAIN = env.str('SESSION_COOKIE_DOMAIN', default=None)
+
 SENDGRID_API_KEY = env.str("SENDGRID_API_KEY", default="")
 SENDGRID_DEFAULT_FROM = "noreply@zfnd.org"