rename cookie secure flag

2015-03-17 23:13:45 -04:00 · 2015-03-17 23:13:45 -04:00 · de04e0c519
commit de04e0c519
parent e67f2d5944
5 changed files with 35 additions and 25 deletions
--- a/README.md
+++ b/README.md
@ -64,9 +64,11 @@ Usage of google_auth_proxy:
  -config="": path to config file
  -cookie-domain="": an optional cookie domain to force cookies to (ie: .yourcompany.com)*
  -cookie-expire=168h0m0s: expire timeframe for cookie
-  -cookie-httponly=true: set HttpOnly cookie
-  -cookie-https-only=true: set HTTPS only cookie
+  -cookie-httponly=true: set HttpOnly cookie flag
+  -cookie-https-only=true: set secure (HTTPS) cookies (deprecated. use --cookie-secure setting)
  -cookie-secret="": the seed string for secure cookies
+  -cookie-secure=true: set secure (HTTPS) cookie flag
+  -custom-templates-dir="": path to custom html templates
  -display-htpasswd-form=true: display username / password login form if an htpasswd file is provided
  -google-apps-domain=: authenticate against the given Google apps domain (may be given multiple times)
  -htpasswd-file="": additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -s" for SHA encryption
@ -75,7 +77,6 @@ Usage of google_auth_proxy:
  -pass-host-header=true: pass the request Host Header to upstream
  -redirect-url="": the OAuth Redirect URL. ie: "https://internalapp.yourcompany.com/oauth2/callback"
  -skip-auth-regex=: bypass authentication for requests path's that match (may be given multiple times)
-  -custom templates-dir="": path to custom html templates
  -upstream=: the http url(s) of the upstream endpoint. If multiple, routing is based on path
  -version=false: print version string
 ```
@ -120,7 +121,7 @@ The command line to run `google_auth_proxy` would look like this:
   --google-apps-domain="yourcompany.com"  \
   --upstream=http://127.0.0.1:8080/ \
   --cookie-secret=... \
-   --cookie-https-only=true \
+   --cookie-secure=true \
   --client-id=... \
   --client-secret=...
 ```
--- a/contrib/google_auth_proxy.cfg.example
+++ b/contrib/google_auth_proxy.cfg.example
@ -49,5 +49,5 @@
 # cookie_secret = ""
 # cookie_domain = ""
 # cookie_expire = "168h"
-# cookie_https_only = true
+# cookie_secure = true
 # cookie_httponly = true
--- a/main.go
+++ b/main.go
@ -43,8 +43,9 @@ func main() {
 	flagSet.String("cookie-secret", "", "the seed string for secure cookies")
 	flagSet.String("cookie-domain", "", "an optional cookie domain to force cookies to (ie: .yourcompany.com)*")
 	flagSet.Duration("cookie-expire", time.Duration(168)*time.Hour, "expire timeframe for cookie")
-	flagSet.Bool("cookie-https-only", true, "set HTTPS only cookie")
-	flagSet.Bool("cookie-httponly", true, "set HttpOnly cookie")
+	flagSet.Bool("cookie-https-only", true, "set secure (HTTPS) cookies (deprecated. use --cookie-secure setting)")
+	flagSet.Bool("cookie-secure", true, "set secure (HTTPS) cookie flag")
+	flagSet.Bool("cookie-httponly", true, "set HttpOnly cookie flag")

 	flagSet.Parse(os.Args[1:])

--- a/oauthproxy.go
+++ b/oauthproxy.go
@ -24,13 +24,13 @@ const oauthStartPath = "/oauth2/start"
 const oauthCallbackPath = "/oauth2/callback"

 type OauthProxy struct {
-	CookieSeed      string
-	CookieKey       string
-	CookieDomain    string
-	CookieHttpsOnly bool
-	CookieHttpOnly  bool
-	CookieExpire    time.Duration
-	Validator       func(string) bool
+	CookieSeed     string
+	CookieKey      string
+	CookieDomain   string
+	CookieSecure   bool
+	CookieHttpOnly bool
+	CookieExpire   time.Duration
+	Validator      func(string) bool

 	redirectUrl         *url.URL // the url to receive requests at
 	oauthRedemptionUrl  *url.URL // endpoint to redeem the code
@ -98,15 +98,21 @@ func NewOauthProxy(opts *Options, validator func(string) bool) *OauthProxy {
 	if domain == "" {
 		domain = "<default>"
 	}
-	log.Printf("Cookie settings: https_only (SSL required): %v httponly: %v expiry: %s domain:%s", opts.CookieHttpsOnly, opts.CookieHttpOnly, opts.CookieExpire, domain)
+	if !opts.CookieHttpsOnly {
+		log.Printf("Warning: cookie-https-only setting is deprecated and will be removed in a future version. use cookie-secure")
+		opts.CookieSecure = opts.CookieHttpsOnly
+	}
+
+	log.Printf("Cookie settings: secure (https):%v httponly:%v expiry:%s domain:%s", opts.CookieSecure, opts.CookieHttpOnly, opts.CookieExpire, domain)
+
 	return &OauthProxy{
-		CookieKey:       "_oauthproxy",
-		CookieSeed:      opts.CookieSecret,
-		CookieDomain:    opts.CookieDomain,
-		CookieHttpsOnly: opts.CookieHttpsOnly,
-		CookieHttpOnly:  opts.CookieHttpOnly,
-		CookieExpire:    opts.CookieExpire,
-		Validator:       validator,
+		CookieKey:      "_oauthproxy",
+		CookieSeed:     opts.CookieSecret,
+		CookieDomain:   opts.CookieDomain,
+		CookieSecure:   opts.CookieSecure,
+		CookieHttpOnly: opts.CookieHttpOnly,
+		CookieExpire:   opts.CookieExpire,
+		Validator:      validator,

 		clientID:           opts.ClientID,
 		clientSecret:       opts.ClientSecret,
@ -130,7 +136,7 @@ func (p *OauthProxy) GetRedirectUrl(host string) string {
 	var u url.URL
 	u = *p.redirectUrl
 	if u.Scheme == "" {
-		if p.CookieHttpsOnly {
+		if p.CookieSecure {
 			u.Scheme = "https"
 		} else {
 			u.Scheme = "http"
@ -265,7 +271,7 @@ func (p *OauthProxy) SetCookie(rw http.ResponseWriter, req *http.Request, val st
 		Path:     "/",
 		Domain:   domain,
 		HttpOnly: p.CookieHttpOnly,
-		Secure:   p.CookieHttpsOnly,
+		Secure:   p.CookieSecure,
 		Expires:  time.Now().Add(p.CookieExpire),
 	}
 	http.SetCookie(rw, cookie)
--- a/options.go
+++ b/options.go
@ -24,7 +24,8 @@ type Options struct {
 	CookieSecret    string        `flag:"cookie-secret" cfg:"cookie_secret" env:"GOOGLE_AUTH_PROXY_COOKIE_SECRET"`
 	CookieDomain    string        `flag:"cookie-domain" cfg:"cookie_domain" env:"GOOGLE_AUTH_PROXY_COOKIE_DOMAIN"`
 	CookieExpire    time.Duration `flag:"cookie-expire" cfg:"cookie_expire" env:"GOOGLE_AUTH_PROXY_COOKIE_EXPIRE"`
-	CookieHttpsOnly bool          `flag:"cookie-https-only" cfg:"cookie_https_only"` // set secure cookie flag
+	CookieHttpsOnly bool          `flag:"cookie-https-only" cfg:"cookie_https_only"` // deprecated use cookie-secure
+	CookieSecure    bool          `flag:"cookie-secure" cfg:"cookie_secure"`
 	CookieHttpOnly  bool          `flag:"cookie-httponly" cfg:"cookie_httponly"`

 	Upstreams      []string `flag:"upstream" cfg:"upstreams"`
@ -43,6 +44,7 @@ func NewOptions() *Options {
 		HttpAddress:         "127.0.0.1:4180",
 		DisplayHtpasswdForm: true,
 		CookieHttpsOnly:     true,
+		CookieSecure:        true,
 		CookieHttpOnly:      true,
 		CookieExpire:        time.Duration(168) * time.Hour,
 		PassBasicAuth:       true,