always set httponly (there is no good reason not to); simplify httponly and expire flags

This commit is contained in:
Jehiah Czebotar 2014-11-08 13:26:55 -05:00
parent 6cdf05e7f2
commit bc26835076
3 changed files with 13 additions and 22 deletions

View File

@ -50,8 +50,10 @@ Usage of ./google_auth_proxy:
-client-id="": the Google OAuth Client ID: ie: "123456.apps.googleusercontent.com" -client-id="": the Google OAuth Client ID: ie: "123456.apps.googleusercontent.com"
-client-secret="": the OAuth Client Secret -client-secret="": the OAuth Client Secret
-cookie-domain="": an optional cookie domain to force cookies to -cookie-domain="": an optional cookie domain to force cookies to
-cookie-expire=168h: expire timeframe for cookie
-cookie-https-only=false: set HTTPS only cookie
-cookie-secret="": the seed string for secure cookies -cookie-secret="": the seed string for secure cookies
-google-apps-domain="": authenticate against the given google apps domain -google-apps-domain=[]: authenticate against the given google apps domain (may be given multiple times)
-htpasswd-file="": additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -s" for SHA encryption -htpasswd-file="": additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -s" for SHA encryption
-http-address="127.0.0.1:4180": <addr>:<port> to listen on for HTTP clients -http-address="127.0.0.1:4180": <addr>:<port> to listen on for HTTP clients
-pass-basic-auth=true: pass HTTP Basic Auth information to upstream -pass-basic-auth=true: pass HTTP Basic Auth information to upstream
@ -98,6 +100,7 @@ The command line to run `google_auth_proxy` would look like this:
--google-apps-domain="yourcompany.com" \ --google-apps-domain="yourcompany.com" \
--upstream=http://127.0.0.1:8080/ \ --upstream=http://127.0.0.1:8080/ \
--cookie-secret=... \ --cookie-secret=... \
--cookie-secure=true \
--client-id=... \ --client-id=... \
--client-secret=... --client-secret=...
``` ```
@ -108,9 +111,9 @@ The environment variables `google_auth_client_id`, `google_auth_secret` and `goo
## Endpoint Documentation ## Endpoint Documentation
Google auth proxy responds directly to the following endpoints. All other endpoints will be authenticated. Google Auth Proxy responds directly to the following endpoints. All other endpoints will be authenticated.
* /ping - returns an 200 OK response * /ping - returns an 200 OK response
* /oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies) * /oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies)
* /oauth2/start - a URL that will redirect to start the oauth cycle * /oauth2/start - a URL that will redirect to start the OAuth cycle
* /oauth2/callback - the URL used at the end of the oauth cycle * /oauth2/callback - the URL used at the end of the OAuth cycle

View File

@ -9,6 +9,7 @@ import (
"net/url" "net/url"
"os" "os"
"strings" "strings"
"time"
) )
const VERSION = "0.1.0" const VERSION = "0.1.0"
@ -23,8 +24,8 @@ var (
htpasswdFile = flag.String("htpasswd-file", "", "additionally authenticate against a htpasswd file. Entries must be created with \"htpasswd -s\" for SHA encryption") htpasswdFile = flag.String("htpasswd-file", "", "additionally authenticate against a htpasswd file. Entries must be created with \"htpasswd -s\" for SHA encryption")
cookieSecret = flag.String("cookie-secret", "", "the seed string for secure cookies") cookieSecret = flag.String("cookie-secret", "", "the seed string for secure cookies")
cookieDomain = flag.String("cookie-domain", "", "an optional cookie domain to force cookies to") cookieDomain = flag.String("cookie-domain", "", "an optional cookie domain to force cookies to")
cookieExpire = flag.Int("cookie-expire", 168 * 60, "expire time for cookie") cookieExpire = flag.Duration("cookie-expire", time.Duration(168)*time.Hour, "expire timeframe for cookie")
cookieSecure = flag.Bool("cookie-secure", false, "HTTPS only cookie") cookieHttpsOnly = flag.Bool("cookie-https-only", false, "set HTTPS only cookie")
authenticatedEmailsFile = flag.String("authenticated-emails-file", "", "authenticate against emails via file (one per line)") authenticatedEmailsFile = flag.String("authenticated-emails-file", "", "authenticate against emails via file (one per line)")
googleAppsDomains = StringArray{} googleAppsDomains = StringArray{}
upstreams = StringArray{} upstreams = StringArray{}

View File

@ -184,27 +184,14 @@ func (p *OauthProxy) SetCookie(rw http.ResponseWriter, req *http.Request, val st
if *cookieDomain != "" && strings.HasSuffix(domain, *cookieDomain) { if *cookieDomain != "" && strings.HasSuffix(domain, *cookieDomain) {
domain = *cookieDomain domain = *cookieDomain
} }
need_expire := true
expire := time.Now().Add(time.Duration(*cookieExpire))
if *cookieExpire == 0 {
need_expire = false
}
http_only := true
secure := false
if *cookieSecure {
http_only = false
secure = true
}
cookie := &http.Cookie{ cookie := &http.Cookie{
Name: p.CookieKey, Name: p.CookieKey,
Value: signedCookieValue(p.CookieSeed, p.CookieKey, val), Value: signedCookieValue(p.CookieSeed, p.CookieKey, val),
Path: "/", Path: "/",
Domain: domain, Domain: domain,
HttpOnly: http_only, HttpOnly: true,
Secure: secure, Secure: *cookieHttpsOnly,
} Expires: time.Now().Add(*cookieExpire),
if need_expire {
cookie.Expires = expire
} }
http.SetCookie(rw, cookie) http.SetCookie(rw, cookie)
} }