[clientpython] fix(backend): no more cookies by default (#209)

[guzmud]

Proposed changes

• Setting the default cookie policy for RequestsBackend to allow only the following domains: []

Testing Instructions

>>> from pyoaev.backends.backend import RequestsBackend
>>> backend = RequestsBackend()
# this request will provide in answer the cookie that is supposed to be set
>>> backend .http_request("GET", 'https://httpbin.org/cookies/set/sessioncookie/123456789').content
b'{\n  "cookies": {\n    "sessioncookie": "123456789"\n  }\n}\n'
# this request will provide in answer the cookies that were sent by the request
>>> backend .http_request("GET", 'https://httpbin.org/cookies').content
b'{\n  "cookies": {}\n}\n'

Related issues

• Closes Injectors trigger the CSRF protection by sending cookies with requests #209

Checklist

• I consider the submitted work as finished
• I tested the code for its functionality
• I wrote test cases for the relevant uses case
• I added/update the relevant documentation (either on github or on notion)
• Where necessary I refactored code to improve the overall quality
• For bug fix -> I implemented a test that covers the bug

Further comments

Two technical suggestions for blocking cookies while keeping the shared Session object: either create a custom CookiePolicy that blocks everything or use the default one but have an empty list as the list of allowed domains.

The custom CookiePolicy seemed to have more potential side-effects + if we need to in the future we can turn the allowed_domains into a parameter that will configure the backend (while still having the empty list as default).

Screenshots

A new test was added to check the session's cookie policy, whether is was not at None (the default that would mean accepting all) but still a len(0) (so an empty set so accept nothing).

new test before fix

new test after fix

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 70.41%. Comparing base (db62aef) to head (7f6fb45).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #210      +/-   ##
==========================================
+ Coverage   70.39%   70.41%   +0.02%     
==========================================
  Files          58       58              
  Lines        2327     2329       +2     
==========================================
+ Hits         1638     1640       +2     
  Misses        689      689              

Flag	Coverage Δ
connectors	70.41% <100.00%> (+0.02%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[guzmud]

FYI integration testing done locally following those steps:

1. build the Dockerfile of the oaev platform using podman build -t openaev/platform:1785 in a local clone of the OAEV platform project checked out on the issue/1785 branch (note: the fix regarding the Dockerfile needs to be done manually, cf [tool] fix(dockerfile): missing corepack and patches (#5540) openaev#5541)
2. edit the docker-compose file in a local clone of the OAEV docker project to change the tag of openaev/platform to openaev/platform:1785 + expose the ports of RabbitMQ (+ update you hosts file if you are under windows and can't run the docker network as host)
3. in the injector http_query, poetry install for testing before fix then python -m pip install --force-reinstall --no-deps "git+https://github.com/OpenAEV-Platform/client-python.git@fix/209-no-more-cookies" for testing after fix

Before fix

After fix