Merge pull request #34 from jehiah/secure_cookies_34

Use of secure attribute in cookies
This commit is contained in:
Jehiah Czebotar 2014-11-08 20:35:35 +01:00
commit 7fae45a7b6
3 changed files with 12 additions and 6 deletions

View File

@ -50,8 +50,10 @@ Usage of ./google_auth_proxy:
-client-id="": the Google OAuth Client ID: ie: "123456.apps.googleusercontent.com" -client-id="": the Google OAuth Client ID: ie: "123456.apps.googleusercontent.com"
-client-secret="": the OAuth Client Secret -client-secret="": the OAuth Client Secret
-cookie-domain="": an optional cookie domain to force cookies to -cookie-domain="": an optional cookie domain to force cookies to
-cookie-expire=168h: expire timeframe for cookie
-cookie-https-only=false: set HTTPS only cookie
-cookie-secret="": the seed string for secure cookies -cookie-secret="": the seed string for secure cookies
-google-apps-domain="": authenticate against the given google apps domain -google-apps-domain=[]: authenticate against the given google apps domain (may be given multiple times)
-htpasswd-file="": additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -s" for SHA encryption -htpasswd-file="": additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -s" for SHA encryption
-http-address="127.0.0.1:4180": <addr>:<port> to listen on for HTTP clients -http-address="127.0.0.1:4180": <addr>:<port> to listen on for HTTP clients
-pass-basic-auth=true: pass HTTP Basic Auth information to upstream -pass-basic-auth=true: pass HTTP Basic Auth information to upstream
@ -98,6 +100,7 @@ The command line to run `google_auth_proxy` would look like this:
--google-apps-domain="yourcompany.com" \ --google-apps-domain="yourcompany.com" \
--upstream=http://127.0.0.1:8080/ \ --upstream=http://127.0.0.1:8080/ \
--cookie-secret=... \ --cookie-secret=... \
--cookie-secure=true \
--client-id=... \ --client-id=... \
--client-secret=... --client-secret=...
``` ```
@ -108,9 +111,9 @@ The environment variables `google_auth_client_id`, `google_auth_secret` and `goo
## Endpoint Documentation ## Endpoint Documentation
Google auth proxy responds directly to the following endpoints. All other endpoints will be authenticated. Google Auth Proxy responds directly to the following endpoints. All other endpoints will be authenticated.
* /ping - returns an 200 OK response * /ping - returns an 200 OK response
* /oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies) * /oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies)
* /oauth2/start - a URL that will redirect to start the oauth cycle * /oauth2/start - a URL that will redirect to start the OAuth cycle
* /oauth2/callback - the URL used at the end of the oauth cycle * /oauth2/callback - the URL used at the end of the OAuth cycle

View File

@ -9,6 +9,7 @@ import (
"net/url" "net/url"
"os" "os"
"strings" "strings"
"time"
) )
const VERSION = "0.1.0" const VERSION = "0.1.0"
@ -23,6 +24,8 @@ var (
htpasswdFile = flag.String("htpasswd-file", "", "additionally authenticate against a htpasswd file. Entries must be created with \"htpasswd -s\" for SHA encryption") htpasswdFile = flag.String("htpasswd-file", "", "additionally authenticate against a htpasswd file. Entries must be created with \"htpasswd -s\" for SHA encryption")
cookieSecret = flag.String("cookie-secret", "", "the seed string for secure cookies") cookieSecret = flag.String("cookie-secret", "", "the seed string for secure cookies")
cookieDomain = flag.String("cookie-domain", "", "an optional cookie domain to force cookies to") cookieDomain = flag.String("cookie-domain", "", "an optional cookie domain to force cookies to")
cookieExpire = flag.Duration("cookie-expire", time.Duration(168)*time.Hour, "expire timeframe for cookie")
cookieHttpsOnly = flag.Bool("cookie-https-only", false, "set HTTPS only cookie")
authenticatedEmailsFile = flag.String("authenticated-emails-file", "", "authenticate against emails via file (one per line)") authenticatedEmailsFile = flag.String("authenticated-emails-file", "", "authenticate against emails via file (one per line)")
googleAppsDomains = StringArray{} googleAppsDomains = StringArray{}
upstreams = StringArray{} upstreams = StringArray{}

View File

@ -189,9 +189,9 @@ func (p *OauthProxy) SetCookie(rw http.ResponseWriter, req *http.Request, val st
Value: signedCookieValue(p.CookieSeed, p.CookieKey, val), Value: signedCookieValue(p.CookieSeed, p.CookieKey, val),
Path: "/", Path: "/",
Domain: domain, Domain: domain,
Expires: time.Now().Add(time.Duration(168) * time.Hour), // 7 days
HttpOnly: true, HttpOnly: true,
// Secure: req. ... ? set if X-Scheme: https ? Secure: *cookieHttpsOnly,
Expires: time.Now().Add(*cookieExpire),
} }
http.SetCookie(rw, cookie) http.SetCookie(rw, cookie)
} }