Merge pull request #34 from jehiah/secure_cookies_34
Use of secure attribute in cookies
This commit is contained in:
commit
7fae45a7b6
11
README.md
11
README.md
@ -50,8 +50,10 @@ Usage of ./google_auth_proxy:
|
|||||||
-client-id="": the Google OAuth Client ID: ie: "123456.apps.googleusercontent.com"
|
-client-id="": the Google OAuth Client ID: ie: "123456.apps.googleusercontent.com"
|
||||||
-client-secret="": the OAuth Client Secret
|
-client-secret="": the OAuth Client Secret
|
||||||
-cookie-domain="": an optional cookie domain to force cookies to
|
-cookie-domain="": an optional cookie domain to force cookies to
|
||||||
|
-cookie-expire=168h: expire timeframe for cookie
|
||||||
|
-cookie-https-only=false: set HTTPS only cookie
|
||||||
-cookie-secret="": the seed string for secure cookies
|
-cookie-secret="": the seed string for secure cookies
|
||||||
-google-apps-domain="": authenticate against the given google apps domain
|
-google-apps-domain=[]: authenticate against the given google apps domain (may be given multiple times)
|
||||||
-htpasswd-file="": additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -s" for SHA encryption
|
-htpasswd-file="": additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -s" for SHA encryption
|
||||||
-http-address="127.0.0.1:4180": <addr>:<port> to listen on for HTTP clients
|
-http-address="127.0.0.1:4180": <addr>:<port> to listen on for HTTP clients
|
||||||
-pass-basic-auth=true: pass HTTP Basic Auth information to upstream
|
-pass-basic-auth=true: pass HTTP Basic Auth information to upstream
|
||||||
@ -98,6 +100,7 @@ The command line to run `google_auth_proxy` would look like this:
|
|||||||
--google-apps-domain="yourcompany.com" \
|
--google-apps-domain="yourcompany.com" \
|
||||||
--upstream=http://127.0.0.1:8080/ \
|
--upstream=http://127.0.0.1:8080/ \
|
||||||
--cookie-secret=... \
|
--cookie-secret=... \
|
||||||
|
--cookie-secure=true \
|
||||||
--client-id=... \
|
--client-id=... \
|
||||||
--client-secret=...
|
--client-secret=...
|
||||||
```
|
```
|
||||||
@ -108,9 +111,9 @@ The environment variables `google_auth_client_id`, `google_auth_secret` and `goo
|
|||||||
|
|
||||||
## Endpoint Documentation
|
## Endpoint Documentation
|
||||||
|
|
||||||
Google auth proxy responds directly to the following endpoints. All other endpoints will be authenticated.
|
Google Auth Proxy responds directly to the following endpoints. All other endpoints will be authenticated.
|
||||||
|
|
||||||
* /ping - returns an 200 OK response
|
* /ping - returns an 200 OK response
|
||||||
* /oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies)
|
* /oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies)
|
||||||
* /oauth2/start - a URL that will redirect to start the oauth cycle
|
* /oauth2/start - a URL that will redirect to start the OAuth cycle
|
||||||
* /oauth2/callback - the URL used at the end of the oauth cycle
|
* /oauth2/callback - the URL used at the end of the OAuth cycle
|
||||||
|
3
main.go
3
main.go
@ -9,6 +9,7 @@ import (
|
|||||||
"net/url"
|
"net/url"
|
||||||
"os"
|
"os"
|
||||||
"strings"
|
"strings"
|
||||||
|
"time"
|
||||||
)
|
)
|
||||||
|
|
||||||
const VERSION = "0.1.0"
|
const VERSION = "0.1.0"
|
||||||
@ -23,6 +24,8 @@ var (
|
|||||||
htpasswdFile = flag.String("htpasswd-file", "", "additionally authenticate against a htpasswd file. Entries must be created with \"htpasswd -s\" for SHA encryption")
|
htpasswdFile = flag.String("htpasswd-file", "", "additionally authenticate against a htpasswd file. Entries must be created with \"htpasswd -s\" for SHA encryption")
|
||||||
cookieSecret = flag.String("cookie-secret", "", "the seed string for secure cookies")
|
cookieSecret = flag.String("cookie-secret", "", "the seed string for secure cookies")
|
||||||
cookieDomain = flag.String("cookie-domain", "", "an optional cookie domain to force cookies to")
|
cookieDomain = flag.String("cookie-domain", "", "an optional cookie domain to force cookies to")
|
||||||
|
cookieExpire = flag.Duration("cookie-expire", time.Duration(168)*time.Hour, "expire timeframe for cookie")
|
||||||
|
cookieHttpsOnly = flag.Bool("cookie-https-only", false, "set HTTPS only cookie")
|
||||||
authenticatedEmailsFile = flag.String("authenticated-emails-file", "", "authenticate against emails via file (one per line)")
|
authenticatedEmailsFile = flag.String("authenticated-emails-file", "", "authenticate against emails via file (one per line)")
|
||||||
googleAppsDomains = StringArray{}
|
googleAppsDomains = StringArray{}
|
||||||
upstreams = StringArray{}
|
upstreams = StringArray{}
|
||||||
|
@ -189,9 +189,9 @@ func (p *OauthProxy) SetCookie(rw http.ResponseWriter, req *http.Request, val st
|
|||||||
Value: signedCookieValue(p.CookieSeed, p.CookieKey, val),
|
Value: signedCookieValue(p.CookieSeed, p.CookieKey, val),
|
||||||
Path: "/",
|
Path: "/",
|
||||||
Domain: domain,
|
Domain: domain,
|
||||||
Expires: time.Now().Add(time.Duration(168) * time.Hour), // 7 days
|
|
||||||
HttpOnly: true,
|
HttpOnly: true,
|
||||||
// Secure: req. ... ? set if X-Scheme: https ?
|
Secure: *cookieHttpsOnly,
|
||||||
|
Expires: time.Now().Add(*cookieExpire),
|
||||||
}
|
}
|
||||||
http.SetCookie(rw, cookie)
|
http.SetCookie(rw, cookie)
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user