Merge pull request #718 from GreenStage/egomes/AUTH-3722

AUTH-3722: Adds http_only and same_site cookie options for access apps
cloudflare · Oct 5, 2021 · 7d00b60 · 7d00b60
2 parents 5901ebc + 3ee470d
commit 7d00b60
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 28 deletions.
diff --git a/access_application.go b/access_application.go
@@ -25,20 +25,22 @@ const (
 
 // AccessApplication represents an Access application.
 type AccessApplication struct {
-	ID                     string                        `json:"id,omitempty"`
-	CreatedAt              *time.Time                    `json:"created_at,omitempty"`
-	UpdatedAt              *time.Time                    `json:"updated_at,omitempty"`
-	AUD                    string                        `json:"aud,omitempty"`
-	Name                   string                        `json:"name"`
-	Domain                 string                        `json:"domain"`
-	Type                   AccessApplicationType         `json:"type,omitempty"`
-	SessionDuration        string                        `json:"session_duration,omitempty"`
-	AutoRedirectToIdentity bool                          `json:"auto_redirect_to_identity,omitempty"`
-	EnableBindingCookie    bool                          `json:"enable_binding_cookie,omitempty"`
-	AllowedIdps            []string                      `json:"allowed_idps,omitempty"`
-	CorsHeaders            *AccessApplicationCorsHeaders `json:"cors_headers,omitempty"`
-	CustomDenyMessage      string                        `json:"custom_deny_message,omitempty"`
-	CustomDenyURL          string                        `json:"custom_deny_url,omitempty"`
+	ID                      string                        `json:"id,omitempty"`
+	CreatedAt               *time.Time                    `json:"created_at,omitempty"`
+	UpdatedAt               *time.Time                    `json:"updated_at,omitempty"`
+	AUD                     string                        `json:"aud,omitempty"`
+	Name                    string                        `json:"name"`
+	Domain                  string                        `json:"domain"`
+	Type                    AccessApplicationType         `json:"type,omitempty"`
+	SessionDuration         string                        `json:"session_duration,omitempty"`
+	AutoRedirectToIdentity  bool                          `json:"auto_redirect_to_identity,omitempty"`
+	EnableBindingCookie     bool                          `json:"enable_binding_cookie,omitempty"`
+	AllowedIdps             []string                      `json:"allowed_idps,omitempty"`
+	CorsHeaders             *AccessApplicationCorsHeaders `json:"cors_headers,omitempty"`
+	CustomDenyMessage       string                        `json:"custom_deny_message,omitempty"`
+	CustomDenyURL           string                        `json:"custom_deny_url,omitempty"`
+	HttpOnlyCookieAttribute bool                          `json:"http_only_cookie_attribute,omitempty"`
+	SameSiteCookieAttribute string                        `json:"same_site_cookie_attribute,omitempty"`
 }
 
 // AccessApplicationCorsHeaders represents the CORS HTTP headers for an Access

diff --git a/access_application_test.go b/access_application_test.go
@@ -35,7 +35,9 @@ func TestAccessApplications(t *testing.T) {
 					"auto_redirect_to_identity": false,
 					"enable_binding_cookie": false,
 					"custom_deny_url": "https://www.cloudflare.com",
-					"custom_deny_message": "denied!"
+					"custom_deny_message": "denied!",
+					"http_only_cookie_attribute": true,
+					"same_site_cookie_attribute": "strict"
 				}
 			],
 			"result_info": {
@@ -52,19 +54,21 @@ func TestAccessApplications(t *testing.T) {
 	updatedAt, _ := time.Parse(time.RFC3339, "2014-01-01T05:20:00.12345Z")
 
 	want := []AccessApplication{{
-		ID:                     "480f4f69-1a28-4fdd-9240-1ed29f0ac1db",
-		CreatedAt:              &createdAt,
-		UpdatedAt:              &updatedAt,
-		AUD:                    "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893",
-		Name:                   "Admin Site",
-		Domain:                 "test.example.com/admin",
-		Type:                   "self_hosted",
-		SessionDuration:        "24h",
-		AllowedIdps:            []string{"f174e90a-fafe-4643-bbbc-4a0ed4fc8415"},
-		AutoRedirectToIdentity: false,
-		EnableBindingCookie:    false,
-		CustomDenyMessage:      "denied!",
-		CustomDenyURL:          "https://www.cloudflare.com",
+		ID:                      "480f4f69-1a28-4fdd-9240-1ed29f0ac1db",
+		CreatedAt:               &createdAt,
+		UpdatedAt:               &updatedAt,
+		AUD:                     "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893",
+		Name:                    "Admin Site",
+		Domain:                  "test.example.com/admin",
+		Type:                    "self_hosted",
+		SessionDuration:         "24h",
+		AllowedIdps:             []string{"f174e90a-fafe-4643-bbbc-4a0ed4fc8415"},
+		AutoRedirectToIdentity:  false,
+		EnableBindingCookie:     false,
+		CustomDenyMessage:       "denied!",
+		CustomDenyURL:           "https://www.cloudflare.com",
+		SameSiteCookieAttribute: "strict",
+		HttpOnlyCookieAttribute: true,
 	}}
 
 	mux.HandleFunc("/accounts/"+testAccountID+"/access/apps", handler)