1. support cookie max age configuration

chengjoey · chengjoey · commit 6e8d9b41676c · 2024-05-06T14:03:37.000+08:00
2. set cookie same site default as `lax`
diff --git a/cmd/erda-server/bootstrap.yaml b/cmd/erda-server/bootstrap.yaml
@@ -139,9 +139,10 @@ openapi-interceptor-csrf:
   cookie_name: "OPENAPI-CSRF-TOKEN"
   cookie_domain: "${CSRF_COOKIE_DOMAIN}"
   cookie_path: "/"
-  cookie_max_age: "12h"
+  cookie_max_age: "${COOKIE_MAX_AGE:12h}"
   token_lookup: "header:OPENAPI-CSRF-TOKEN"
   cookie_http_only: true
+  cookie_same_site: "${COOKIE_SAME_SITE:2}"
 openapi-interceptor-filter-client-header:
   order: 11
 openapi-interceptor-auth-session-compatibility:
diff --git a/internal/core/openapi/openapi-ng/interceptors/csrf/csrf.go b/internal/core/openapi/openapi-ng/interceptors/csrf/csrf.go
@@ -44,6 +44,9 @@ type config struct {
 	CookiePath        string        `file:"cookie_path" default:"/" desc:"path of the CSRF cookie. optional."`
 	CookieMaxAge      time.Duration `file:"cookie_max_age" default:"24h" desc:"max age of the CSRF cookie. optional."`
 	CookieHTTPOnly    bool          `file:"cookie_http_only" default:"false" desc:"indicates if CSRF cookie is HTTP only. optional."`
+
+	// CookieSameSite default set to 2, which is `lax`, more options see https://github.com/golang/go/blob/619b419a4b1506bde1aa7e833898f2f67fd0e83e/src/net/http/cookie.go#L52-L57
+	CookieSameSite http.SameSite `file:"cookie_same_site" default:"2" desc:"indicates if CSRF cookie is SameSite. optional."`
 }
 
 type (
@@ -250,6 +253,7 @@ func (p *provider) setCSRFCookie(rw http.ResponseWriter, r *http.Request, token
 	cookie.Expires = time.Now().Add(p.Cfg.CookieMaxAge)
 	cookie.Secure = p.getScheme(r) == "https"
 	cookie.HttpOnly = p.Cfg.CookieHTTPOnly
+	cookie.SameSite = p.Cfg.CookieSameSite
 	http.SetCookie(rw, cookie)
 	return token
 }
