devstack/authorizer
4
0
Fork 0
Code Pull Requests Actions Activity

Merge pull request #247 from authorizerdev/fix/same-site-cookie

Browse Source 
fix(server): use sameSite as lax by default for app cookie
This commit is contained in:
Lakhan Samani 2022-09-28 11:18:03 +05:30 committed by GitHub
commit d8ea0c656f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 11 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
server/cookie/cookie.go
View File

@ -29,10 +29,18 @@ func SetSession(gc *gin.Context, sessionID string) {
domain = "." + domain domain = "." + domain
} }
// Use sameSite = lax by default
// Since app cookie can come from cross site it becomes important to set this in lax mode.
// Example person using custom UI on their app domain and making request to authorizer domain.
// For more information check:
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
// https://github.com/gin-gonic/gin/blob/master/context.go#L86
// TODO add ability to sameSite = none / strict from dashboard
gc.SetSameSite(http.SameSiteLaxMode)
// TODO allow configuring from dashboard // TODO allow configuring from dashboard
year := 60 * 60 * 24 * 365 year := 60 * 60 * 24 * 365
gc.SetSameSite(http.SameSiteNoneMode)
gc.SetCookie(constants.AppCookieName+"_session", sessionID, year, "/", host, secure, httpOnly) gc.SetCookie(constants.AppCookieName+"_session", sessionID, year, "/", host, secure, httpOnly)
gc.SetCookie(constants.AppCookieName+"_session_domain", sessionID, year, "/", domain, secure, httpOnly) gc.SetCookie(constants.AppCookieName+"_session_domain", sessionID, year, "/", domain, secure, httpOnly)
} }

4
server/parsers/url.go
View File

@ -11,8 +11,8 @@ import (
) )
// GetHost returns hostname from request context // GetHost returns hostname from request context
// if X-Authorizer-URL header is set it is given highest priority // if EnvKeyAuthorizerURL is set it is given highest priority.
// if EnvKeyAuthorizerURL is set it is given second highest priority. // if X-Authorizer-URL header is set it is given second highest priority
// if above 2 are not set the requesting host name is used // if above 2 are not set the requesting host name is used
func GetHost(c *gin.Context) string { func GetHost(c *gin.Context) string {
authorizerURL, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyAuthorizerURL) authorizerURL, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyAuthorizerURL)