From fc127704955cb665e8e9cb653850b481046e3053 Mon Sep 17 00:00:00 2001
From: Mark McDowall <mark@mcdowall.ca>
Date: Sun, 7 Mar 2021 15:10:56 -0800
Subject: [PATCH] Fixed: Set SameSite=Strict for SonarrAuth cookie

(cherry picked from commit 675c72f02e7565a937b40c23ec27df6d86f95dc3)
---
 .../Authentication/EnableAuthInNancy.cs       |  3 +-
 .../Authentication/RadarrNancyCookie.cs       | 38 +++++++++++++++++++
 2 files changed, 39 insertions(+), 2 deletions(-)
 create mode 100644 src/Radarr.Http/Authentication/RadarrNancyCookie.cs

diff --git a/src/Radarr.Http/Authentication/EnableAuthInNancy.cs b/src/Radarr.Http/Authentication/EnableAuthInNancy.cs
index cff6ed3b9..296f30089 100644
--- a/src/Radarr.Http/Authentication/EnableAuthInNancy.cs
+++ b/src/Radarr.Http/Authentication/EnableAuthInNancy.cs
@@ -4,7 +4,6 @@
 using Nancy.Authentication.Basic;
 using Nancy.Authentication.Forms;
 using Nancy.Bootstrapper;
-using Nancy.Cookies;
 using Nancy.Cryptography;
 using NzbDrone.Common.Extensions;
 using NzbDrone.Core.Authentication;
@@ -117,7 +116,7 @@ private void SlidingAuthenticationForFormsAuth(NancyContext context)
 
                 if (FormsAuthentication.DecryptAndValidateAuthenticationCookie(formsAuthCookieValue, _formsAuthConfig).IsNotNullOrWhiteSpace())
                 {
-                    var formsAuthCookie = new NancyCookie(formsAuthCookieName, formsAuthCookieValue, true, false, DateTime.UtcNow.AddDays(7))
+                    var formsAuthCookie = new RadarrNancyCookie(formsAuthCookieName, formsAuthCookieValue, true, false, DateTime.UtcNow.AddDays(7))
                     {
                         Path = GetCookiePath()
                     };
diff --git a/src/Radarr.Http/Authentication/RadarrNancyCookie.cs b/src/Radarr.Http/Authentication/RadarrNancyCookie.cs
new file mode 100644
index 000000000..7da243faa
--- /dev/null
+++ b/src/Radarr.Http/Authentication/RadarrNancyCookie.cs
@@ -0,0 +1,38 @@
+using System;
+using Nancy.Cookies;
+
+namespace Radarr.Http.Authentication
+{
+    public class RadarrNancyCookie : NancyCookie
+    {
+        public RadarrNancyCookie(string name, string value)
+            : base(name, value)
+        {
+        }
+
+        public RadarrNancyCookie(string name, string value, DateTime expires)
+            : base(name, value, expires)
+        {
+        }
+
+        public RadarrNancyCookie(string name, string value, bool httpOnly)
+            : base(name, value, httpOnly)
+        {
+        }
+
+        public RadarrNancyCookie(string name, string value, bool httpOnly, bool secure)
+            : base(name, value, httpOnly, secure)
+        {
+        }
+
+        public RadarrNancyCookie(string name, string value, bool httpOnly, bool secure, DateTime? expires)
+            : base(name, value, httpOnly, secure, expires)
+        {
+        }
+
+        public override string ToString()
+        {
+            return base.ToString() + "; SameSite=Strict";
+        }
+    }
+}