Don't set the cookie domain to the host by default, as it breaks Cookie Prefixes
The Cookie Prefixes spec disallows the use of the `domain` attribute in cookies if the `__Host-` prefix is used (https://tools.ietf.org/html/draft-ietf-httpbis-cookie-prefixes-00#section-3.2). There's no need to set it to the host by default, so make it optional. If it is set to a non-empty value, still output a warning if it is not a suffix of the host, as that's likely not wanted. Fixes #352.
This commit is contained in:
parent
b90a23473f
commit
b6bd878f27
@ -164,7 +164,7 @@ Usage of oauth2_proxy:
|
|||||||
-client-id string: the OAuth Client ID: ie: "123456.apps.googleusercontent.com"
|
-client-id string: the OAuth Client ID: ie: "123456.apps.googleusercontent.com"
|
||||||
-client-secret string: the OAuth Client Secret
|
-client-secret string: the OAuth Client Secret
|
||||||
-config string: path to config file
|
-config string: path to config file
|
||||||
-cookie-domain string: an optional cookie domain to force cookies to (ie: .yourcompany.com)*
|
-cookie-domain string: an optional cookie domain to force cookies to (ie: .yourcompany.com)
|
||||||
-cookie-expire duration: expire timeframe for cookie (default 168h0m0s)
|
-cookie-expire duration: expire timeframe for cookie (default 168h0m0s)
|
||||||
-cookie-httponly: set HttpOnly cookie flag (default true)
|
-cookie-httponly: set HttpOnly cookie flag (default true)
|
||||||
-cookie-name string: the name of the cookie that the oauth_proxy creates (default "_oauth2_proxy")
|
-cookie-name string: the name of the cookie that the oauth_proxy creates (default "_oauth2_proxy")
|
||||||
|
@ -155,16 +155,12 @@ func NewOAuthProxy(opts *Options, validator func(string) bool) *OAuthProxy {
|
|||||||
redirectURL.Path = fmt.Sprintf("%s/callback", opts.ProxyPrefix)
|
redirectURL.Path = fmt.Sprintf("%s/callback", opts.ProxyPrefix)
|
||||||
|
|
||||||
log.Printf("OAuthProxy configured for %s Client ID: %s", opts.provider.Data().ProviderName, opts.ClientID)
|
log.Printf("OAuthProxy configured for %s Client ID: %s", opts.provider.Data().ProviderName, opts.ClientID)
|
||||||
domain := opts.CookieDomain
|
|
||||||
if domain == "" {
|
|
||||||
domain = "<default>"
|
|
||||||
}
|
|
||||||
refresh := "disabled"
|
refresh := "disabled"
|
||||||
if opts.CookieRefresh != time.Duration(0) {
|
if opts.CookieRefresh != time.Duration(0) {
|
||||||
refresh = fmt.Sprintf("after %s", opts.CookieRefresh)
|
refresh = fmt.Sprintf("after %s", opts.CookieRefresh)
|
||||||
}
|
}
|
||||||
|
|
||||||
log.Printf("Cookie settings: name:%s secure(https):%v httponly:%v expiry:%s domain:%s refresh:%s", opts.CookieName, opts.CookieSecure, opts.CookieHttpOnly, opts.CookieExpire, domain, refresh)
|
log.Printf("Cookie settings: name:%s secure(https):%v httponly:%v expiry:%s domain:%s refresh:%s", opts.CookieName, opts.CookieSecure, opts.CookieHttpOnly, opts.CookieExpire, opts.CookieDomain, refresh)
|
||||||
|
|
||||||
var cipher *cookie.Cipher
|
var cipher *cookie.Cipher
|
||||||
if opts.PassAccessToken || (opts.CookieRefresh != time.Duration(0)) {
|
if opts.PassAccessToken || (opts.CookieRefresh != time.Duration(0)) {
|
||||||
@ -267,22 +263,21 @@ func (p *OAuthProxy) MakeCSRFCookie(req *http.Request, value string, expiration
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (p *OAuthProxy) makeCookie(req *http.Request, name string, value string, expiration time.Duration, now time.Time) *http.Cookie {
|
func (p *OAuthProxy) makeCookie(req *http.Request, name string, value string, expiration time.Duration, now time.Time) *http.Cookie {
|
||||||
domain := req.Host
|
|
||||||
if h, _, err := net.SplitHostPort(domain); err == nil {
|
|
||||||
domain = h
|
|
||||||
}
|
|
||||||
if p.CookieDomain != "" {
|
if p.CookieDomain != "" {
|
||||||
|
domain := req.Host
|
||||||
|
if h, _, err := net.SplitHostPort(domain); err == nil {
|
||||||
|
domain = h
|
||||||
|
}
|
||||||
if !strings.HasSuffix(domain, p.CookieDomain) {
|
if !strings.HasSuffix(domain, p.CookieDomain) {
|
||||||
log.Printf("Warning: request host is %q but using configured cookie domain of %q", domain, p.CookieDomain)
|
log.Printf("Warning: request host is %q but using configured cookie domain of %q", domain, p.CookieDomain)
|
||||||
}
|
}
|
||||||
domain = p.CookieDomain
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return &http.Cookie{
|
return &http.Cookie{
|
||||||
Name: name,
|
Name: name,
|
||||||
Value: value,
|
Value: value,
|
||||||
Path: "/",
|
Path: "/",
|
||||||
Domain: domain,
|
Domain: p.CookieDomain,
|
||||||
HttpOnly: p.CookieHttpOnly,
|
HttpOnly: p.CookieHttpOnly,
|
||||||
Secure: p.CookieSecure,
|
Secure: p.CookieSecure,
|
||||||
Expires: now.Add(expiration),
|
Expires: now.Add(expiration),
|
||||||
|
Loading…
Reference in New Issue
Block a user