Add flag to enable/disable cookie's HttpOnly flag.

This commit is contained in:
Tom Taylor 2015-01-19 15:52:18 +00:00
parent 9d264f304f
commit 132e3d91d6
4 changed files with 9 additions and 3 deletions

View File

@ -42,3 +42,4 @@
# cookie_domain = "" # cookie_domain = ""
# cookie_expire = "168h" # cookie_expire = "168h"
# cookie_https_only = true # cookie_https_only = true
# cookie_httponly = true

View File

@ -41,6 +41,7 @@ func main() {
flagSet.String("cookie-domain", "", "an optional cookie domain to force cookies to (ie: .yourcompany.com)*") flagSet.String("cookie-domain", "", "an optional cookie domain to force cookies to (ie: .yourcompany.com)*")
flagSet.Duration("cookie-expire", time.Duration(168)*time.Hour, "expire timeframe for cookie") flagSet.Duration("cookie-expire", time.Duration(168)*time.Hour, "expire timeframe for cookie")
flagSet.Bool("cookie-https-only", true, "set HTTPS only cookie") flagSet.Bool("cookie-https-only", true, "set HTTPS only cookie")
flagSet.Bool("cookie-httponly", true, "set HttpOnly cookie")
flagSet.Parse(os.Args[1:]) flagSet.Parse(os.Args[1:])

View File

@ -27,6 +27,7 @@ type OauthProxy struct {
CookieKey string CookieKey string
CookieDomain string CookieDomain string
CookieHttpsOnly bool CookieHttpsOnly bool
CookieHttpOnly bool
CookieExpire time.Duration CookieExpire time.Duration
Validator func(string) bool Validator func(string) bool
@ -67,12 +68,13 @@ func NewOauthProxy(opts *Options, validator func(string) bool) *OauthProxy {
if domain == "" { if domain == "" {
domain = "<default>" domain = "<default>"
} }
log.Printf("Cookie settings: https_only: %v expiry: %s domain:%s", opts.CookieHttpsOnly, opts.CookieExpire, domain) log.Printf("Cookie settings: https_only: %v httponly: %v expiry: %s domain:%s", opts.CookieHttpsOnly, opts.CookieHttpOnly, opts.CookieExpire, domain)
return &OauthProxy{ return &OauthProxy{
CookieKey: "_oauthproxy", CookieKey: "_oauthproxy",
CookieSeed: opts.CookieSecret, CookieSeed: opts.CookieSecret,
CookieDomain: opts.CookieDomain, CookieDomain: opts.CookieDomain,
CookieHttpsOnly: opts.CookieHttpsOnly, CookieHttpsOnly: opts.CookieHttpsOnly,
CookieHttpOnly: opts.CookieHttpOnly,
CookieExpire: opts.CookieExpire, CookieExpire: opts.CookieExpire,
Validator: validator, Validator: validator,
@ -197,7 +199,7 @@ func (p *OauthProxy) ClearCookie(rw http.ResponseWriter, req *http.Request) {
Path: "/", Path: "/",
Domain: domain, Domain: domain,
Expires: time.Now().Add(time.Duration(1) * time.Hour * -1), Expires: time.Now().Add(time.Duration(1) * time.Hour * -1),
HttpOnly: true, HttpOnly: p.CookieHttpOnly,
} }
http.SetCookie(rw, cookie) http.SetCookie(rw, cookie)
} }
@ -213,7 +215,7 @@ func (p *OauthProxy) SetCookie(rw http.ResponseWriter, req *http.Request, val st
Value: signedCookieValue(p.CookieSeed, p.CookieKey, val), Value: signedCookieValue(p.CookieSeed, p.CookieKey, val),
Path: "/", Path: "/",
Domain: domain, Domain: domain,
HttpOnly: true, HttpOnly: p.CookieHttpOnly,
Secure: p.CookieHttpsOnly, Secure: p.CookieHttpsOnly,
Expires: time.Now().Add(p.CookieExpire), Expires: time.Now().Add(p.CookieExpire),
} }

View File

@ -21,6 +21,7 @@ type Options struct {
CookieDomain string `flag:"cookie-domain" cfg:"cookie_domain" env:"GOOGLE_AUTH_PROXY_COOKIE_DOMAIN"` CookieDomain string `flag:"cookie-domain" cfg:"cookie_domain" env:"GOOGLE_AUTH_PROXY_COOKIE_DOMAIN"`
CookieExpire time.Duration `flag:"cookie-expire" cfg:"cookie_expire" env:"GOOGLE_AUTH_PROXY_COOKIE_EXPIRE"` CookieExpire time.Duration `flag:"cookie-expire" cfg:"cookie_expire" env:"GOOGLE_AUTH_PROXY_COOKIE_EXPIRE"`
CookieHttpsOnly bool `flag:"cookie-https-only" cfg:"cookie_https_only"` CookieHttpsOnly bool `flag:"cookie-https-only" cfg:"cookie_https_only"`
CookieHttpOnly bool `flag:"cookie-httponly" cfg:"cookie_httponly"`
AuthenticatedEmailsFile string `flag:"authenticated-emails-file" cfg:"authenticated_emails_file"` AuthenticatedEmailsFile string `flag:"authenticated-emails-file" cfg:"authenticated_emails_file"`
GoogleAppsDomains []string `flag:"google-apps-domain" cfg:"google_apps_domains"` GoogleAppsDomains []string `flag:"google-apps-domain" cfg:"google_apps_domains"`
Upstreams []string `flag:"upstream" cfg:"upstreams"` Upstreams []string `flag:"upstream" cfg:"upstreams"`
@ -37,6 +38,7 @@ func NewOptions() *Options {
HttpAddress: "127.0.0.1:4180", HttpAddress: "127.0.0.1:4180",
DisplayHtpasswdForm: true, DisplayHtpasswdForm: true,
CookieHttpsOnly: true, CookieHttpsOnly: true,
CookieHttpOnly: true,
PassBasicAuth: true, PassBasicAuth: true,
CookieExpire: time.Duration(168) * time.Hour, CookieExpire: time.Duration(168) * time.Hour,
} }