From c0de2f02b67c30c0c8d4223e85a98bf36b241d5a Mon Sep 17 00:00:00 2001
From: Eugene <inbox@null.page>
Date: Thu, 5 Jun 2025 10:16:34 +0200
Subject: [PATCH] fixed #1366 - API crash

---
 Cargo.lock                            | 17 ++++++++++++++
 Cargo.toml                            |  8 +++++++
 tests/test_api_auth.py                | 32 ++++++++++++++++++++++++++-
 tests/test_http_basic.py              |  2 +-
 warpgate-admin/Cargo.toml             |  7 +-----
 warpgate-common/Cargo.toml            |  7 +-----
 warpgate-core/Cargo.toml              |  7 +-----
 warpgate-db-entities/Cargo.toml       |  2 +-
 warpgate-protocol-http/Cargo.toml     |  2 +-
 warpgate-web/src/gateway/Login.svelte |  2 +-
 warpgate/Cargo.toml                   |  1 +
 11 files changed, 64 insertions(+), 23 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 4e0dcade..82413f08 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2462,6 +2462,16 @@ version = "2.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5e0826a989adedc2a244799e823aece04662b66609d96af8dff7ac6df9a8925d"
 
+[[package]]
+name = "nu-ansi-term"
+version = "0.46.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "77a8165726e8236064dbb45459242600304b42a5ea24ee2948e18e023bf7ba84"
+dependencies = [
+ "overload",
+ "winapi",
+]
+
 [[package]]
 name = "num-bigint"
 version = "0.4.6"
@@ -2661,6 +2671,12 @@ dependencies = [
  "syn 2.0.101",
 ]
 
+[[package]]
+name = "overload"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b15813163c1d831bf4a13c3610c05c0d03b39feb07f7e09fa234dac9b15aaf39"
+
 [[package]]
 name = "p256"
 version = "0.13.2"
@@ -5090,6 +5106,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e8189decb5ac0fa7bc8b96b7cb9b2701d60d48805aca84a238004d665fcc4008"
 dependencies = [
  "matchers",
+ "nu-ansi-term",
  "once_cell",
  "regex",
  "sharded-slab",
diff --git a/Cargo.toml b/Cargo.toml
index a80630a3..16e3ffe9 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -42,6 +42,14 @@ poem = { version = "3.1", features = [
     "websocket",
     "rustls",
     "embed",
+    "server",
+], default-features = false }
+poem-openapi = { version = "5.1", features = [
+    "swagger-ui",
+    "chrono",
+    "uuid",
+    "static-files",
+    "cookie",
 ], default-features = false }
 password-hash = { version = "0.5", features = ["std"], default-features = false }
 delegate = { version = "0.13", default-features = false }
diff --git a/tests/test_api_auth.py b/tests/test_api_auth.py
index fe0d1156..1d92adee 100644
--- a/tests/test_api_auth.py
+++ b/tests/test_api_auth.py
@@ -1,5 +1,7 @@
 import contextlib
-from .api_client import sdk
+from uuid import uuid4
+import requests
+from .api_client import admin_client, sdk
 from .conftest import WarpgateProcess
 from .test_http_common import *  # noqa
 
@@ -43,3 +45,31 @@ class TestAPIAuth:
                 api.get_session("1")
             with assert_401():
                 api.get_sessions()
+
+    def test_cookie_auth(
+        self,
+        shared_wg: WarpgateProcess,
+    ):
+        url = f"https://localhost:{shared_wg.http_port}"
+
+        with admin_client(url) as api:
+            user = api.create_user(sdk.CreateUserRequest(username=f"user-{uuid4()}"))
+            api.create_password_credential(
+                user.id, sdk.NewPasswordCredential(password="123")
+            )
+            admin_role = api.get_roles('warpgate:admin')[0]
+            api.add_user_role(user.id, admin_role.id)
+
+        session = requests.Session()
+        session.verify = False
+        r = session.post(
+            f"{url}/@warpgate/api/auth/login",
+            json={
+                'username': user.username,
+                'password': '123',
+            },
+        )
+        assert r.status_code == 201, r.text
+
+        r = session.get(f"{url}/@warpgate/admin/api/sessions")
+        assert r.status_code == 200, r.text
diff --git a/tests/test_http_basic.py b/tests/test_http_basic.py
index 4d170ded..9d2096da 100644
--- a/tests/test_http_basic.py
+++ b/tests/test_http_basic.py
@@ -18,7 +18,7 @@ class Test:
 
         with admin_client(url) as api:
             role = api.create_role(sdk.RoleDataRequest(name=f"role-{uuid4()}"))
-            user = api.create_user(sdk.CreateUserRequest(username="user"))
+            user = api.create_user(sdk.CreateUserRequest(username=f"user-{uuid4()}"))
             api.create_password_credential(
                 user.id, sdk.NewPasswordCredential(password="123")
             )
diff --git a/warpgate-admin/Cargo.toml b/warpgate-admin/Cargo.toml
index 862b7014..e2d2f497 100644
--- a/warpgate-admin/Cargo.toml
+++ b/warpgate-admin/Cargo.toml
@@ -13,12 +13,7 @@ futures.workspace = true
 hex = { version = "0.4", default-features = false }
 mime_guess = { version = "2.0", default-features = false }
 poem.workspace = true
-poem-openapi = { version = "5.1", features = [
-    "swagger-ui",
-    "chrono",
-    "uuid",
-    "static-files",
-], default-features = false }
+poem-openapi.workspace = true
 russh.workspace = true
 rust-embed = { version = "8.3", default-features = false }
 sea-orm.workspace = true
diff --git a/warpgate-common/Cargo.toml b/warpgate-common/Cargo.toml
index 784fbd53..93a8635a 100644
--- a/warpgate-common/Cargo.toml
+++ b/warpgate-common/Cargo.toml
@@ -21,12 +21,7 @@ futures.workspace = true
 once_cell = { version = "1.17", default-features = false }
 password-hash.workspace = true
 poem = { version = "3.1", features = ["rustls"], default-features = false }
-poem-openapi = { version = "5.1", features = [
-    "swagger-ui",
-    "chrono",
-    "uuid",
-    "static-files",
-], default-features = false }
+poem-openapi.workspace = true
 rand.workspace = true
 rand_chacha.workspace = true
 rand_core.workspace = true
diff --git a/warpgate-core/Cargo.toml b/warpgate-core/Cargo.toml
index 3b55a2fb..408cca59 100644
--- a/warpgate-core/Cargo.toml
+++ b/warpgate-core/Cargo.toml
@@ -23,12 +23,7 @@ once_cell = "1.17"
 packet = "0.1"
 password-hash.workspace = true
 poem.workspace = true
-poem-openapi = { version = "5.1", features = [
-    "swagger-ui",
-    "chrono",
-    "uuid",
-    "static-files",
-], default-features = false }
+poem-openapi.workspace = true
 rand.workspace = true
 rand_chacha.workspace = true
 rand_core.workspace = true
diff --git a/warpgate-db-entities/Cargo.toml b/warpgate-db-entities/Cargo.toml
index c05792ba..4e8c14ca 100644
--- a/warpgate-db-entities/Cargo.toml
+++ b/warpgate-db-entities/Cargo.toml
@@ -7,7 +7,7 @@ version = "0.14.0"
 [dependencies]
 bytes = { version = "1.4", default-features = false }
 chrono = { version = "0.4", default-features = false, features = ["serde"] }
-poem-openapi = { version = "5.1", features = ["chrono", "uuid"], default-features = false }
+poem-openapi.workspace = true
 sqlx.workspace = true
 sea-orm = { workspace = true, features = [
     "macros",
diff --git a/warpgate-protocol-http/Cargo.toml b/warpgate-protocol-http/Cargo.toml
index 3ac43dc8..dafd9e02 100644
--- a/warpgate-protocol-http/Cargo.toml
+++ b/warpgate-protocol-http/Cargo.toml
@@ -15,7 +15,7 @@ futures.workspace = true
 http = { version = "1.0", default-features = false }
 once_cell = { version = "1.17", default-features = false }
 poem.workspace = true
-poem-openapi = { version = "5.1", features = ["swagger-ui"], default-features = false }
+poem-openapi.workspace = true
 reqwest = { version = "0.12", features = [
     "http2",                               # required for connecting to targets behind AWS ELB
     "rustls-tls-native-roots-no-provider",
diff --git a/warpgate-web/src/gateway/Login.svelte b/warpgate-web/src/gateway/Login.svelte
index 67828fbc..0811a20e 100644
--- a/warpgate-web/src/gateway/Login.svelte
+++ b/warpgate-web/src/gateway/Login.svelte
@@ -213,7 +213,7 @@
         <Loadable promise={ssoProvidersPromise}>
             {#snippet children(ssoProviders)}
                 <div class="mt-3 sso-buttons">
-                    {#each ssoProviders as ssoProvider}
+                    {#each ssoProviders as ssoProvider (ssoProvider.name)}
                         <button
                             class="btn btn-secondary"
                             disabled={busy}
diff --git a/warpgate/Cargo.toml b/warpgate/Cargo.toml
index d91874f6..a889a5c4 100644
--- a/warpgate/Cargo.toml
+++ b/warpgate/Cargo.toml
@@ -27,6 +27,7 @@ time = { version = "0.3", default-features = false }
 tokio.workspace = true
 tracing.workspace = true
 tracing-subscriber = { version = "0.3", features = [
+    "ansi",
     "env-filter",
     "local-time",
 ], default-features = false }