From 38037c411991ec7d8c646d07e8eb865f88f37a31 Mon Sep 17 00:00:00 2001
From: George Barbarosie <george.barbarosie@gmail.com>
Date: Tue, 2 Mar 2021 17:06:24 +0000
Subject: [PATCH 1/2] implement SameSite cookie attribute

---
 README.rst                  | 3 +++
 src/pyramid_jwt/__init__.py | 3 +++
 src/pyramid_jwt/policy.py   | 3 +++
 3 files changed, 9 insertions(+)

diff --git a/README.rst b/README.rst
index 1ce19a1..f5eef17 100644
--- a/README.rst
+++ b/README.rst
@@ -233,6 +233,9 @@ The follow options applies to the cookie-based authentication policy:
 | https_only     | jwt.https_only_cookie     | True          | Whether or not the token should only be    |
 |                |                           |               | sent through a secure HTTPS transport      |
 +----------------+---------------------------+---------------+--------------------------------------------+
+| samesite       | jwt.samesite              | one           | Set the 'SameSite' attribute of the cookie |
+|                |                           |               | can be 'strict', 'lax', 'none'             |
++----------------+---------------------------+---------------+--------------------------------------------+
 | reissue_time   | jwt.cookie_reissue_time   |  None         | Number of seconds (or a datetime.timedelta |
 |                |                           |               | instance) before a cookie (and the token   |
 |                |                           |               | within it) is reissued                     |
diff --git a/src/pyramid_jwt/__init__.py b/src/pyramid_jwt/__init__.py
index c0b633f..9ccd267 100644
--- a/src/pyramid_jwt/__init__.py
+++ b/src/pyramid_jwt/__init__.py
@@ -94,6 +94,7 @@ def set_jwt_cookie_authentication_policy(
     audience=None,
     cookie_name=None,
     https_only=True,
+    samesite=None,
     reissue_time=None,
     cookie_path=None,
 ):
@@ -103,6 +104,8 @@ def set_jwt_cookie_authentication_policy(
     reissue_time = reissue_time or settings.get("jwt.cookie_reissue_time")
     if https_only is None:
         https_only = settings.get("jwt.https_only_cookie", True)
+    if samesite is None:
+        samesite = settings.get("jwt.samesite", None)
 
     auth_policy = create_jwt_authentication_policy(
         config,
diff --git a/src/pyramid_jwt/policy.py b/src/pyramid_jwt/policy.py
index 214d586..279403e 100644
--- a/src/pyramid_jwt/policy.py
+++ b/src/pyramid_jwt/policy.py
@@ -170,6 +170,7 @@ def __init__(
         audience=None,
         cookie_name=None,
         https_only=True,
+        samesite=None,
         reissue_time=None,
         cookie_path=None,
     ):
@@ -188,6 +189,7 @@ def __init__(
         )
 
         self.https_only = https_only
+        self.samesite = samesite
         self.cookie_name = cookie_name or "Authorization"
         self.max_age = self.expiration and self.expiration.total_seconds()
 
@@ -198,6 +200,7 @@ def __init__(
         self.cookie_profile = CookieProfile(
             cookie_name=self.cookie_name,
             secure=self.https_only,
+            samesite=self.samesite,
             max_age=self.max_age,
             httponly=True,
             path=cookie_path,

From 21edb401abcea1f1aacd5e9358cbfc4ebdf4719f Mon Sep 17 00:00:00 2001
From: George Barbarosie <george.barbarosie@gmail.com>
Date: Tue, 2 Mar 2021 17:34:53 +0000
Subject: [PATCH 2/2] forgot to pass samesite to the
 JWTCookeiAuthenticationPolicy

---
 src/pyramid_jwt/__init__.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/pyramid_jwt/__init__.py b/src/pyramid_jwt/__init__.py
index 9ccd267..5f91171 100644
--- a/src/pyramid_jwt/__init__.py
+++ b/src/pyramid_jwt/__init__.py
@@ -126,6 +126,7 @@ def set_jwt_cookie_authentication_policy(
         cookie_name=cookie_name,
         https_only=https_only,
         reissue_time=reissue_time,
+        samesite=samesite,
         cookie_path=cookie_path,
     )