Merge pull request #83 from firehooper/feature/82-same-site-cookies-config-deps-update

82 SameSite cookies config; deps update

Author: adamw

build.sbt

@@ -1,16 +1,16 @@
 lazy val commonSettings = commonSmlBuildSettings ++ ossPublishSettings ++ Seq(
   organization := "com.softwaremill.akka-http-session",
-  scalaVersion := "2.12.12",
-  crossScalaVersions := Seq(scalaVersion.value, "2.13.4")
+  scalaVersion := "2.13.8",
+  crossScalaVersions := Seq(scalaVersion.value, "2.12.15")
 )
 
-val akkaHttpVersion = "10.2.1"
-val akkaStreamsVersion = "2.6.10"
-val json4sVersion = "3.6.10"
+val akkaHttpVersion = "10.2.7"
+val akkaStreamsVersion = "2.6.18"
+val json4sVersion = "4.0.4"
 val akkaStreamsProvided = "com.typesafe.akka" %% "akka-stream" % akkaStreamsVersion % "provided"
 val akkaStreamsTestkit = "com.typesafe.akka" %% "akka-stream-testkit" % akkaStreamsVersion % "test"
 
-val scalaTest = "org.scalatest" %% "scalatest" % "3.2.3" % "test"
+val scalaTest = "org.scalatest" %% "scalatest" % "3.2.11" % "test"
 
 lazy val rootProject = (project in file("."))
   .settings(commonSettings: _*)
@@ -26,7 +26,7 @@ lazy val core: Project = (project in file("core"))
       akkaStreamsProvided,
       "com.typesafe.akka" %% "akka-http-testkit" % akkaHttpVersion % "test",
       akkaStreamsTestkit,
-      "org.scalacheck" %% "scalacheck" % "1.15.1" % "test",
+      "org.scalacheck" %% "scalacheck" % "1.15.4" % "test",
       scalaTest
     )
   )
@@ -37,11 +37,13 @@ lazy val jwt: Project = (project in file("jwt"))
     name := "jwt",
     libraryDependencies ++= Seq(
       "org.json4s" %% "json4s-jackson" % json4sVersion,
+      "org.json4s" %% "json4s-ast" % json4sVersion,
+      "org.json4s" %% "json4s-core" % json4sVersion,
       akkaStreamsProvided,
       scalaTest
     ),
     // generating docs for 2.13 causes an error: "not found: type DefaultFormats$"
-    sources in (Compile, doc) := Seq.empty
+    Compile / doc / sources := Seq.empty
   ) dependsOn (core)
 
 lazy val example: Project = (project in file("example"))
@@ -50,8 +52,8 @@ lazy val example: Project = (project in file("example"))
     publishArtifact := false,
     libraryDependencies ++= Seq(
       akkaStreamsProvided,
-      "com.typesafe.scala-logging" %% "scala-logging" % "3.9.2",
-      "ch.qos.logback" % "logback-classic" % "1.2.3",
+      "com.typesafe.scala-logging" %% "scala-logging" % "3.9.4",
+      "ch.qos.logback" % "logback-classic" % "1.2.10",
       "org.json4s" %% "json4s-ext" % json4sVersion
     )
   )
@@ -61,16 +63,16 @@ lazy val javaTests: Project = (project in file("javaTests"))
   .settings(commonSettings: _*)
   .settings(
     name := "javaTests",
-    testOptions in Test := Seq(Tests.Argument(TestFrameworks.JUnit, "-a")), // required for javadsl JUnit tests
+    Test / testOptions  := Seq(Tests.Argument(TestFrameworks.JUnit, "-a")), // required for javadsl JUnit tests
     crossPaths := false, // https://github.com/sbt/junit-interface/issues/35
     publishArtifact := false,
     libraryDependencies ++= Seq(
       akkaStreamsProvided,
       "com.typesafe.akka" %% "akka-http" % akkaHttpVersion,
       "com.typesafe.akka" %% "akka-http-testkit" % akkaHttpVersion % "test",
       akkaStreamsTestkit,
-      "junit" % "junit" % "4.13.1" % "test",
-      "com.novocode" % "junit-interface" % "0.11" % "test",
+      "junit"           % "junit"           %  "4.13.2" % "test",
+      "com.github.sbt"  % "junit-interface" %  "0.13.3" % "test",
       scalaTest
     )
   )

core/src/main/resources/reference.conf

@@ -5,6 +5,7 @@ akka.http.session {
     path = /
     secure = false
     http-only = true
+    same-site = Lax
   }
   header {
     send-to-client-name = "Set-Authorization"
@@ -26,6 +27,7 @@ akka.http.session {
       path = /
       secure = false
       http-only = false
+      same-site = Lax
     }
     submitted-name = "X-XSRF-TOKEN"
   }
@@ -37,6 +39,7 @@ akka.http.session {
       path = /
       secure = false
       http-only = true
+      same-site = Lax
     }
     header {
       send-to-client-name = "Set-Refresh-Token"

core/src/main/scala/com/softwaremill/session/SessionConfig.scala

@@ -5,8 +5,9 @@ import java.util.concurrent.TimeUnit
 import com.softwaremill.session.JwsAlgorithm.{HmacSHA256, Rsa}
 import com.softwaremill.session.SessionConfig.{JwsConfig, JwtConfig}
 import com.typesafe.config.{Config, ConfigFactory, ConfigValueFactory}
+import akka.http.scaladsl.model.headers.SameSite
 
-case class CookieConfig(name: String, domain: Option[String], path: Option[String], secure: Boolean, httpOnly: Boolean)
+case class CookieConfig(name: String, domain: Option[String], path: Option[String], secure: Boolean, httpOnly: Boolean, sameSite: Option[SameSite])
 
 case class HeaderConfig(sendToClientHeaderName: String, getFromClientHeaderName: String)
 
@@ -119,7 +120,8 @@ object SessionConfig {
         domain = scopedConfig.getOptionalString("cookie.domain"),
         path = scopedConfig.getOptionalString("cookie.path"),
         secure = scopedConfig.getBoolean("cookie.secure"),
-        httpOnly = scopedConfig.getBoolean("cookie.http-only")
+        httpOnly = scopedConfig.getBoolean("cookie.http-only"),
+        sameSite = scopedConfig.getOptionalString("cookie.same-site").flatMap { SameSite(_) },
       ),
       sessionHeaderConfig = HeaderConfig(
         sendToClientHeaderName = scopedConfig.getString("header.send-to-client-name"),
@@ -132,15 +134,17 @@ object SessionConfig {
         domain = csrfConfig.getOptionalString("cookie.domain"),
         path = csrfConfig.getOptionalString("cookie.path"),
         secure = csrfConfig.getBoolean("cookie.secure"),
-        httpOnly = csrfConfig.getBoolean("cookie.http-only")
+        httpOnly = csrfConfig.getBoolean("cookie.http-only"),
+        sameSite = scopedConfig.getOptionalString("cookie.same-site").flatMap { SameSite(_) },
       ),
       csrfSubmittedName = csrfConfig.getString("submitted-name"),
       refreshTokenCookieConfig = CookieConfig(
         name = refreshTokenConfig.getString("cookie.name"),
         domain = refreshTokenConfig.getOptionalString("cookie.domain"),
         path = refreshTokenConfig.getOptionalString("cookie.path"),
         secure = refreshTokenConfig.getBoolean("cookie.secure"),
-        httpOnly = refreshTokenConfig.getBoolean("cookie.http-only")
+        httpOnly = refreshTokenConfig.getBoolean("cookie.http-only"),
+        sameSite = scopedConfig.getOptionalString("cookie.same-site").flatMap { SameSite(_) },
       ),
       refreshTokenHeaderConfig = HeaderConfig(
         sendToClientHeaderName = refreshTokenConfig.getString("header.send-to-client-name"),

core/src/main/scala/com/softwaremill/session/SessionManager.scala

@@ -50,8 +50,8 @@ trait ClientSessionManager[T] {
       domain = config.sessionCookieConfig.domain,
       path = config.sessionCookieConfig.path,
       secure = config.sessionCookieConfig.secure,
-      httpOnly = config.sessionCookieConfig.httpOnly
-    )
+      httpOnly = config.sessionCookieConfig.httpOnly,
+    ).withSameSite(config.sessionCookieConfig.sameSite)
 
   def createHeader(data: T) = createHeaderWithValue(encode(data))
 
@@ -114,8 +114,8 @@ trait CsrfManager[T] {
       domain = config.csrfCookieConfig.domain,
       path = config.csrfCookieConfig.path,
       secure = config.csrfCookieConfig.secure,
-      httpOnly = config.csrfCookieConfig.httpOnly
-    )
+      httpOnly = config.csrfCookieConfig.httpOnly,
+    ).withSameSite(config.csrfCookieConfig.sameSite)
 }
 
 trait RefreshTokenManager[T] {
@@ -168,8 +168,8 @@ trait RefreshTokenManager[T] {
       domain = config.refreshTokenCookieConfig.domain,
       path = config.refreshTokenCookieConfig.path,
       secure = config.refreshTokenCookieConfig.secure,
-      httpOnly = config.refreshTokenCookieConfig.httpOnly
-    )
+      httpOnly = config.refreshTokenCookieConfig.httpOnly,
+    ).withSameSite(config.refreshTokenCookieConfig.sameSite)
 
   def createHeader(value: String) =
     RawHeader(name = config.refreshTokenHeaderConfig.sendToClientHeaderName, value = value)

jwt/src/main/java/com/softwaremill/session/javadsl/JwtSessionSerializers.java

@@ -3,7 +3,7 @@
 import com.softwaremill.session.JValueSessionSerializer$;
 import com.softwaremill.session.SessionSerializer;
 import org.json4s.DefaultFormats$;
-import org.json4s.JsonAST;
+import org.json4s.JValue;
 
 /**
  * Wrapper for session transports in com.softwaremill.session.JValueSessionSerializer
@@ -12,11 +12,11 @@ public final class JwtSessionSerializers {
 
     public static final DefaultFormats$ DefaultUtcDateFormat = DefaultFormats$.MODULE$;
 
-    public static final SessionSerializer<String, JsonAST.JValue> StringToJValueSessionSerializer = JValueSessionSerializer$.MODULE$.stringToJValueSessionSerializer();
-    public static final SessionSerializer<Integer, JsonAST.JValue> IntToJValueSessionSerializer = (SessionSerializer<Integer, JsonAST.JValue>) (SessionSerializer) JValueSessionSerializer$.MODULE$.intToJValueSessionSerializer();
-    public static final SessionSerializer<Long, JsonAST.JValue> LongToJValueSessionSerializer = (SessionSerializer<Long, JsonAST.JValue>) (SessionSerializer) JValueSessionSerializer$.MODULE$.longToJValueSessionSerializer();
-    public static final SessionSerializer<Float, JsonAST.JValue> FloatToJValueSessionSerializer = (SessionSerializer<Float, JsonAST.JValue>) (SessionSerializer) JValueSessionSerializer$.MODULE$.floatToJValueSessionSerializer();
-    public static final SessionSerializer<Double, JsonAST.JValue> DoubleToJValueSessionSerializer = (SessionSerializer<Double, JsonAST.JValue>) (SessionSerializer) JValueSessionSerializer$.MODULE$.doubleToJValueSessionSerializer();
+    public static final SessionSerializer<String, JValue> StringToJValueSessionSerializer = JValueSessionSerializer$.MODULE$.stringToJValueSessionSerializer();
+    public static final SessionSerializer<Integer, JValue> IntToJValueSessionSerializer = (SessionSerializer<Integer, JValue>) (SessionSerializer) JValueSessionSerializer$.MODULE$.intToJValueSessionSerializer();
+    public static final SessionSerializer<Long, JValue> LongToJValueSessionSerializer = (SessionSerializer<Long, JValue>) (SessionSerializer) JValueSessionSerializer$.MODULE$.longToJValueSessionSerializer();
+    public static final SessionSerializer<Float, JValue> FloatToJValueSessionSerializer = (SessionSerializer<Float, JValue>) (SessionSerializer) JValueSessionSerializer$.MODULE$.floatToJValueSessionSerializer();
+    public static final SessionSerializer<Double, JValue> DoubleToJValueSessionSerializer = (SessionSerializer<Double, JValue>) (SessionSerializer) JValueSessionSerializer$.MODULE$.doubleToJValueSessionSerializer();
 
     private JwtSessionSerializers() {
     }

project/build.properties

@@ -1 +1 @@
-sbt.version=1.4.3
+sbt.version=1.6.1

project/plugins.sbt

@@ -1,3 +1,4 @@
 addSbtPlugin("com.softwaremill.sbt-softwaremill" % "sbt-softwaremill-common" % "1.9.14")
 addSbtPlugin("com.softwaremill.sbt-softwaremill" % "sbt-softwaremill-publish" % "1.9.14")
-addSbtPlugin("com.softwaremill.sbt-softwaremill" % "sbt-softwaremill-extra" % "1.9.14")
+addSbtPlugin("com.softwaremill.sbt-softwaremill" % "sbt-softwaremill-extra" % "1.9.14")
+addSbtPlugin("org.wartremover" % "sbt-wartremover" % "2.4.16")