Add logout endpoint to Nginx configuration to prevent a new token on logout (#23678)

* Add logout endpoint to Nginx configuration to prevent logout from silently generating a new frigate_token cookie

* Change JWT cookie expiration to use max_age and have the appropriate expiration time based on JWT_SESSION_LENGTH

* ruff formatting
This commit is contained in:
nulledy 2026-07-14 06:35:51 -04:00 committed by GitHub
parent 775ce22204
commit 62d4e87e5d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 20 additions and 5 deletions

View File

@ -274,6 +274,13 @@ http {
include proxy.conf; include proxy.conf;
} }
location /api/logout {
auth_request off;
rewrite ^/api(/.*)$ $1 break;
proxy_pass http://frigate_api;
include proxy.conf;
}
# Allow unauthenticated access to the first_time_login endpoint # Allow unauthenticated access to the first_time_login endpoint
# so the login page can load help text before authentication. # so the login page can load help text before authentication.
location /api/auth/first_time_login { location /api/auth/first_time_login {

View File

@ -415,7 +415,7 @@ def create_encoded_jwt(user, role, expiration, secret):
) )
def set_jwt_cookie(response: Response, cookie_name, encoded_jwt, expiration, secure): def set_jwt_cookie(response: Response, cookie_name, encoded_jwt, max_age, secure):
# TODO: ideally this would set secure as well, but that requires TLS # TODO: ideally this would set secure as well, but that requires TLS
# SameSite is intentionally left unset (browsers default to Lax). Setting # SameSite is intentionally left unset (browsers default to Lax). Setting
# SameSite=Lax/Strict would stop the cookie from being sent in cross-origin # SameSite=Lax/Strict would stop the cookie from being sent in cross-origin
@ -427,7 +427,7 @@ def set_jwt_cookie(response: Response, cookie_name, encoded_jwt, expiration, sec
key=cookie_name, key=cookie_name,
value=encoded_jwt, value=encoded_jwt,
httponly=True, httponly=True,
expires=expiration, max_age=max_age,
secure=secure, secure=secure,
) )
@ -762,7 +762,7 @@ def auth(request: Request):
success_response, success_response,
JWT_COOKIE_NAME, JWT_COOKIE_NAME,
new_encoded_jwt, new_encoded_jwt,
new_expiration, JWT_SESSION_LENGTH,
JWT_COOKIE_SECURE, JWT_COOKIE_SECURE,
) )
@ -875,7 +875,11 @@ def login(request: Request, body: AppPostLoginBody):
encoded_jwt = create_encoded_jwt(user, role, expiration, request.app.jwt_token) encoded_jwt = create_encoded_jwt(user, role, expiration, request.app.jwt_token)
response = Response("", 200) response = Response("", 200)
set_jwt_cookie( set_jwt_cookie(
response, JWT_COOKIE_NAME, encoded_jwt, expiration, JWT_COOKIE_SECURE response,
JWT_COOKIE_NAME,
encoded_jwt,
JWT_SESSION_LENGTH,
JWT_COOKIE_SECURE,
) )
# Clear admin_first_time_login flag after successful admin login so the # Clear admin_first_time_login flag after successful admin login so the
# UI stops showing the first-time login documentation link. # UI stops showing the first-time login documentation link.
@ -1037,7 +1041,11 @@ async def update_password(
) )
# Set new JWT cookie on response # Set new JWT cookie on response
set_jwt_cookie( set_jwt_cookie(
response, JWT_COOKIE_NAME, encoded_jwt, expiration, JWT_COOKIE_SECURE response,
JWT_COOKIE_NAME,
encoded_jwt,
JWT_SESSION_LENGTH,
JWT_COOKIE_SECURE,
) )
return response return response