fix: distinguer le nom du cookie pour stocker le token par environnement

dmc1985 · dmc1985 · commit d778898a330d · 2026-03-18T17:37:52.000+01:00
diff --git a/back/config/settings/base.py b/back/config/settings/base.py
@@ -632,6 +632,10 @@
 # et pour activer le SSL sur la connexion à la base de données.
 ENVIRONMENT = os.getenv("ENVIRONMENT", "local")
 
+# Nom du cookie d'authentification : différencié par environnement pour éviter
+# les collisions de cookies entre prod et staging (même domaine parent).
+AUTH_COOKIE_NAME = "token" if ENVIRONMENT == "production" else f"token_{ENVIRONMENT}"
+
 # Profiling (Silk) :
 # Doit être explicitement activé (via env var)
 PROFILE = False
diff --git a/back/dora/core/tests/test_utils.py b/back/dora/core/tests/test_utils.py
@@ -226,17 +226,19 @@ def test_address_to_one_line(address1, address2, postal_code, city, expected):
     assert address_to_one_line(address1, address2, postal_code, city) == expected
 
 
-@override_settings(FRONTEND_URL="https://subdomain.example.com")
+@override_settings(
+    FRONTEND_URL="https://subdomain.example.com", AUTH_COOKIE_NAME="token_test"
+)
 def test_set_auth_token_cookie():
     """set_auth_token_cookie définit le cookie avec les bons attributs."""
     response = HttpResponse()
     token_key = "test-token-key-12345"
 
     set_auth_token_cookie(response, token_key)
 
-    cookie = response.cookies["token"]
+    cookie = response.cookies["token_test"]
 
     assert (
         cookie.OutputString()
-        == f"token={token_key}; Domain=subdomain.example.com; Path=/; SameSite=Lax; Secure"
+        == f"token_test={token_key}; Domain=subdomain.example.com; Path=/; SameSite=Lax; Secure"
     )
diff --git a/back/dora/core/utils.py b/back/dora/core/utils.py
@@ -161,4 +161,4 @@ def set_auth_token_cookie(response: HttpResponse, token_key: str):
     parsed_frontend_url = urlparse(settings.FRONTEND_URL)
     cookie_kwargs["domain"] = parsed_frontend_url.hostname
 
-    response.set_cookie("token", token_key, **cookie_kwargs)
+    response.set_cookie(settings.AUTH_COOKIE_NAME, token_key, **cookie_kwargs)
diff --git a/front/src/hooks.server.ts b/front/src/hooks.server.ts
@@ -10,6 +10,7 @@ import { ENVIRONMENT, SENTRY_DSN } from "$lib/env";
 import { handleInboundNexusAutoLogin } from "$lib/utils/nexus";
 
 import { MAX_REQUESTS_PER_MINUTE } from "$env/static/private";
+import { TOKEN_KEY } from "$lib/utils/auth";
 
 const rateLimiter = new RetryAfterRateLimiter({
   IPUA: [Number(MAX_REQUESTS_PER_MINUTE) || 24, "m"],
@@ -48,7 +49,7 @@ export const handle: Handle = sequence(
       );
     }
 
-    const token = event.cookies.get("token");
+    const token = event.cookies.get(TOKEN_KEY);
     await handleInboundNexusAutoLogin(event.url, token);
 
     const response = await resolve(event);
diff --git a/front/src/lib/utils/auth.ts b/front/src/lib/utils/auth.ts
@@ -9,7 +9,10 @@ import { log, logException } from "./logger";
 import { userPreferencesSet } from "./preferences";
 import { invalidateServicesOptionsCache } from "$lib/cache/services-options";
 
-const TOKEN_KEY = "token";
+export const TOKEN_KEY =
+  import.meta.env.VITE_ENVIRONMENT === "production"
+    ? "token"
+    : `token_${import.meta.env.VITE_ENVIRONMENT}`;
 
 export type UserMainActivity =
   | "accompagnateur"
diff --git a/front/src/routes/(modeles-services)/services/[slug]/+page.server.ts b/front/src/routes/(modeles-services)/services/[slug]/+page.server.ts
@@ -3,6 +3,7 @@ import { redirect } from "@sveltejs/kit";
 import type { PageServerLoad } from "./$types";
 import { handleEmploisOrientation } from "$lib/requests/emplois-orientation";
 import { ORIENTATION_JWT_QUERY_PARAM } from "$lib/consts";
+import { TOKEN_KEY } from "$lib/utils/auth";
 
 export const load: PageServerLoad = async ({ url, params, cookies }) => {
   const opJwt = url.searchParams.get(ORIENTATION_JWT_QUERY_PARAM);
@@ -12,7 +13,7 @@ export const load: PageServerLoad = async ({ url, params, cookies }) => {
     return;
   }
 
-  const token = cookies.get("token");
+  const token = cookies.get(TOKEN_KEY);
 
   const response = await handleEmploisOrientation({
     serviceSlug: params.slug,
diff --git a/front/src/routes/nexus/auto-login/+page.server.ts b/front/src/routes/nexus/auto-login/+page.server.ts
@@ -1,9 +1,10 @@
 import { getApiURL } from "$lib/utils/api";
 import { error, redirect } from "@sveltejs/kit";
 import type { RequestEvent } from "@sveltejs/kit";
+import { TOKEN_KEY } from "$lib/utils/auth";
 
 export const load = async ({ cookies, url }: RequestEvent) => {
-  const token = cookies.get("token") ?? null;
+  const token = cookies.get(TOKEN_KEY) ?? null;
 
   const nextUrl = url.searchParams.get("next");
 
