Skip to content

Commit 0a1ebf7

Browse files
fsaminfsamin
authored
fix(api): http cookies properties (#5792)
Signed-off-by: francois samin <[email protected]>
1 parent a232316 commit 0a1ebf7

File tree

4 files changed

+26
-17
lines changed

4 files changed

+26
-17
lines changed

engine/api/api.go

+19-10
Original file line numberDiff line numberDiff line change
@@ -878,26 +878,29 @@ func (a *API) Serve(ctx context.Context) error {
878878
// This will returns a cookie with no expiration date that should be dropped by browser when closed.
879879
func (a *API) SetCookieSession(w http.ResponseWriter, name, value string) {
880880
a.setCookie(w, &http.Cookie{
881-
Name: name,
882-
Value: value,
881+
Name: name,
882+
Value: value,
883+
HttpOnly: false,
883884
})
884885
}
885886

886887
// SetCookie on given response writter, automatically add domain and path based on api config.
887-
func (a *API) SetCookie(w http.ResponseWriter, name, value string, expires time.Time) {
888+
func (a *API) SetCookie(w http.ResponseWriter, name, value string, expires time.Time, httpOnly bool) {
888889
a.setCookie(w, &http.Cookie{
889-
Name: name,
890-
Value: value,
891-
Expires: expires,
890+
Name: name,
891+
Value: value,
892+
Expires: expires,
893+
HttpOnly: httpOnly,
892894
})
893895
}
894896

895897
// UnsetCookie on given response writter, automatically add domain and path based on api config.
896-
func (a *API) UnsetCookie(w http.ResponseWriter, name string) {
898+
func (a *API) UnsetCookie(w http.ResponseWriter, name string, httpOnly bool) {
897899
a.setCookie(w, &http.Cookie{
898-
Name: name,
899-
Value: "",
900-
MaxAge: -1,
900+
Name: name,
901+
Value: "",
902+
MaxAge: -1,
903+
HttpOnly: httpOnly,
901904
})
902905
}
903906

@@ -910,6 +913,12 @@ func (a *API) setCookie(w http.ResponseWriter, c *http.Cookie) {
910913
c.Path = "/"
911914
}
912915
}
916+
c.SameSite = http.SameSiteStrictMode
917+
c.Secure = true
918+
uiURL, _ := url.Parse(a.Config.URL.UI)
919+
if uiURL != nil && uiURL.Hostname() != "" {
920+
c.Domain = uiURL.Hostname()
921+
}
913922
http.SetCookie(w, c)
914923
}
915924

engine/api/auth.go

+3-3
Original file line numberDiff line numberDiff line change
@@ -291,7 +291,7 @@ func (api *API) postAuthSigninHandler() service.Handler {
291291
}
292292

293293
// Set a cookie with the jwt token
294-
api.SetCookie(w, service.JWTCookieName, jwt, session.ExpireAt)
294+
api.SetCookie(w, service.JWTCookieName, jwt, session.ExpireAt, true)
295295

296296
// Prepare http response
297297
resp := sdk.AuthConsumerSigninResponse{
@@ -313,7 +313,7 @@ func (api *API) postAuthSignoutHandler() service.Handler {
313313
}
314314

315315
// Delete the jwt cookie value
316-
api.UnsetCookie(w, service.JWTCookieName)
316+
api.UnsetCookie(w, service.JWTCookieName, true)
317317

318318
return service.WriteJSON(w, nil, http.StatusOK)
319319
}
@@ -356,7 +356,7 @@ func (api *API) postAuthDetachHandler() service.Handler {
356356

357357
// If we just removed the current consumer, clean http cookie.
358358
if consumer.ID == currentConsumer.ID {
359-
api.UnsetCookie(w, service.JWTCookieName)
359+
api.UnsetCookie(w, service.JWTCookieName, true)
360360
}
361361

362362
return service.WriteJSON(w, nil, http.StatusOK)

engine/api/auth_builtin.go

+1-1
Original file line numberDiff line numberDiff line change
@@ -65,7 +65,7 @@ func (api *API) postAuthBuiltinSigninHandler() service.Handler {
6565
}
6666

6767
// Set a cookie with the jwt token
68-
api.SetCookie(w, service.JWTCookieName, jwt, session.ExpireAt)
68+
api.SetCookie(w, service.JWTCookieName, jwt, session.ExpireAt, true)
6969

7070
usr, err := user.LoadByID(ctx, tx, consumer.AuthentifiedUserID)
7171
if err != nil {

engine/api/auth_local.go

+3-3
Original file line numberDiff line numberDiff line change
@@ -220,7 +220,7 @@ func (api *API) postAuthLocalSigninHandler() service.Handler {
220220
}
221221

222222
// Set a cookie with the jwt token
223-
api.SetCookie(w, service.JWTCookieName, jwt, session.ExpireAt)
223+
api.SetCookie(w, service.JWTCookieName, jwt, session.ExpireAt, true)
224224

225225
// Prepare http response
226226
resp := sdk.AuthConsumerSigninResponse{
@@ -353,7 +353,7 @@ func (api *API) postAuthLocalVerifyHandler() service.Handler {
353353
local.CleanVerifyConsumerToken(api.Cache, consumer.ID)
354354

355355
// Set a cookie with the jwt token
356-
api.SetCookie(w, service.JWTCookieName, jwt, session.ExpireAt)
356+
api.SetCookie(w, service.JWTCookieName, jwt, session.ExpireAt, true)
357357

358358
// Prepare http response
359359
resp := sdk.AuthConsumerSigninResponse{
@@ -521,7 +521,7 @@ func (api *API) postAuthLocalResetHandler() service.Handler {
521521
local.CleanResetConsumerToken(api.Cache, consumer.ID)
522522

523523
// Set a cookie with the jwt token
524-
api.SetCookie(w, service.JWTCookieName, jwt, session.ExpireAt)
524+
api.SetCookie(w, service.JWTCookieName, jwt, session.ExpireAt, true)
525525

526526
// Prepare http response
527527
resp := sdk.AuthConsumerSigninResponse{

0 commit comments

Comments
 (0)