From 132e3d91d6f79e1ad36e704857a5ad8861aa1ca6 Mon Sep 17 00:00:00 2001 From: Tom Taylor Date: Mon, 19 Jan 2015 15:52:18 +0000 Subject: [PATCH] Add flag to enable/disable cookie's HttpOnly flag. --- contrib/google_auth_proxy.cfg.example | 1 + main.go | 1 + oauthproxy.go | 8 +++++--- options.go | 2 ++ 4 files changed, 9 insertions(+), 3 deletions(-) diff --git a/contrib/google_auth_proxy.cfg.example b/contrib/google_auth_proxy.cfg.example index 1f4aded..7034a58 100644 --- a/contrib/google_auth_proxy.cfg.example +++ b/contrib/google_auth_proxy.cfg.example @@ -42,3 +42,4 @@ # cookie_domain = "" # cookie_expire = "168h" # cookie_https_only = true +# cookie_httponly = true diff --git a/main.go b/main.go index be547d8..50ae79a 100644 --- a/main.go +++ b/main.go @@ -41,6 +41,7 @@ func main() { flagSet.String("cookie-domain", "", "an optional cookie domain to force cookies to (ie: .yourcompany.com)*") flagSet.Duration("cookie-expire", time.Duration(168)*time.Hour, "expire timeframe for cookie") flagSet.Bool("cookie-https-only", true, "set HTTPS only cookie") + flagSet.Bool("cookie-httponly", true, "set HttpOnly cookie") flagSet.Parse(os.Args[1:]) diff --git a/oauthproxy.go b/oauthproxy.go index 9f64fc0..1f70198 100644 --- a/oauthproxy.go +++ b/oauthproxy.go @@ -27,6 +27,7 @@ type OauthProxy struct { CookieKey string CookieDomain string CookieHttpsOnly bool + CookieHttpOnly bool CookieExpire time.Duration Validator func(string) bool @@ -67,12 +68,13 @@ func NewOauthProxy(opts *Options, validator func(string) bool) *OauthProxy { if domain == "" { domain = "" } - log.Printf("Cookie settings: https_only: %v expiry: %s domain:%s", opts.CookieHttpsOnly, opts.CookieExpire, domain) + log.Printf("Cookie settings: https_only: %v httponly: %v expiry: %s domain:%s", opts.CookieHttpsOnly, opts.CookieHttpOnly, opts.CookieExpire, domain) return &OauthProxy{ CookieKey: "_oauthproxy", CookieSeed: opts.CookieSecret, CookieDomain: opts.CookieDomain, CookieHttpsOnly: opts.CookieHttpsOnly, + CookieHttpOnly: opts.CookieHttpOnly, CookieExpire: opts.CookieExpire, Validator: validator, @@ -197,7 +199,7 @@ func (p *OauthProxy) ClearCookie(rw http.ResponseWriter, req *http.Request) { Path: "/", Domain: domain, Expires: time.Now().Add(time.Duration(1) * time.Hour * -1), - HttpOnly: true, + HttpOnly: p.CookieHttpOnly, } http.SetCookie(rw, cookie) } @@ -213,7 +215,7 @@ func (p *OauthProxy) SetCookie(rw http.ResponseWriter, req *http.Request, val st Value: signedCookieValue(p.CookieSeed, p.CookieKey, val), Path: "/", Domain: domain, - HttpOnly: true, + HttpOnly: p.CookieHttpOnly, Secure: p.CookieHttpsOnly, Expires: time.Now().Add(p.CookieExpire), } diff --git a/options.go b/options.go index 803ef30..49a1515 100644 --- a/options.go +++ b/options.go @@ -21,6 +21,7 @@ type Options struct { CookieDomain string `flag:"cookie-domain" cfg:"cookie_domain" env:"GOOGLE_AUTH_PROXY_COOKIE_DOMAIN"` CookieExpire time.Duration `flag:"cookie-expire" cfg:"cookie_expire" env:"GOOGLE_AUTH_PROXY_COOKIE_EXPIRE"` CookieHttpsOnly bool `flag:"cookie-https-only" cfg:"cookie_https_only"` + CookieHttpOnly bool `flag:"cookie-httponly" cfg:"cookie_httponly"` AuthenticatedEmailsFile string `flag:"authenticated-emails-file" cfg:"authenticated_emails_file"` GoogleAppsDomains []string `flag:"google-apps-domain" cfg:"google_apps_domains"` Upstreams []string `flag:"upstream" cfg:"upstreams"` @@ -37,6 +38,7 @@ func NewOptions() *Options { HttpAddress: "127.0.0.1:4180", DisplayHtpasswdForm: true, CookieHttpsOnly: true, + CookieHttpOnly: true, PassBasicAuth: true, CookieExpire: time.Duration(168) * time.Hour, }