From 6eb320885414e841f20b8398798630d3b7a73b17 Mon Sep 17 00:00:00 2001 From: zepatrik <11patti1@gmx.de> Date: Fri, 20 Mar 2020 19:05:15 +0100 Subject: [PATCH 1/3] feat: allow configuring same-site for session cookies --- docs/config.schema.json | 30 ++++++++++++++++++++++++++ driver/configuration/provider.go | 3 +++ driver/configuration/provider_viper.go | 15 +++++++++++++ driver/registry_default.go | 1 + 4 files changed, 49 insertions(+) diff --git a/docs/config.schema.json b/docs/config.schema.json index 61627138c177..2bf8a99aafb6 100644 --- a/docs/config.schema.json +++ b/docs/config.schema.json @@ -185,6 +185,15 @@ "$ref": "#/definitions/selfServiceRedirectHook" }, "uniqueItems": true + }, + "cookiesSameSite": { + "type": "string", + "enum": [ + "Strict", + "Lax", + "None" + ], + "default": "Lax" } }, "properties": { @@ -588,6 +597,27 @@ } }, "additionalProperties": false + }, + "security": { + "type": "object", + "properties": { + "session": { + "type": "object", + "properties": { + "cookie": { + "type": "object", + "properties": { + "same_site": { + "$ref": "#/definitions/cookiesSameSite" + } + }, + "additionalProperties": false + } + }, + "additionalProperties": false + } + }, + "additionalProperties": false } }, "required": [ diff --git a/driver/configuration/provider.go b/driver/configuration/provider.go index b647f1e44a4c..15505ead1b16 100644 --- a/driver/configuration/provider.go +++ b/driver/configuration/provider.go @@ -2,6 +2,7 @@ package configuration import ( "encoding/json" + "net/http" "net/url" "time" @@ -99,4 +100,6 @@ type Provider interface { TracingJaegerConfig() *tracing.JaegerConfig IsInsecureDevMode() bool + + SessionSameSiteMode() http.SameSite } diff --git a/driver/configuration/provider_viper.go b/driver/configuration/provider_viper.go index 3bcda8cf2bb5..0c0dbf5d0d62 100644 --- a/driver/configuration/provider_viper.go +++ b/driver/configuration/provider_viper.go @@ -4,6 +4,7 @@ import ( "bytes" "encoding/json" "fmt" + "net/http" "net/url" "runtime" "time" @@ -53,6 +54,8 @@ const ( ViperKeyLifespanSession = "ttl.session" + ViperKeySessionSameSite = "security.session.cookie.same_site" + ViperKeySelfServiceStrategyConfig = "selfservice.strategies" ViperKeySelfServiceRegistrationBeforeConfig = "selfservice.registration.before" ViperKeySelfServiceRegistrationAfterConfig = "selfservice.registration.after" @@ -370,3 +373,15 @@ func (p *ViperProvider) SelfServiceVerificationReturnTo() *url.URL { func (p *ViperProvider) SelfServicePrivilegedSessionMaxAge() time.Duration { return viperx.GetDuration(p.l, ViperKeySelfServicePrivilegedAuthenticationAfter, time.Hour) } + +func (p *ViperProvider) SessionSameSiteMode() http.SameSite { + switch viperx.GetString(p.l, ViperKeySessionSameSite, "Lax") { + case "Lax": + return http.SameSiteLaxMode + case "Strict": + return http.SameSiteStrictMode + case "None": + return http.SameSiteNoneMode + } + return http.SameSiteDefaultMode +} diff --git a/driver/registry_default.go b/driver/registry_default.go index 0afffd48f390..55a592b46bd5 100644 --- a/driver/registry_default.go +++ b/driver/registry_default.go @@ -277,6 +277,7 @@ func (m *RegistryDefault) CookieManager() sessions.Store { cs := sessions.NewCookieStore(m.c.SessionSecrets()...) cs.Options.Secure = !m.c.IsInsecureDevMode() cs.Options.HttpOnly = true + cs.Options.SameSite = m.c.SessionSameSiteMode() m.sessionsStore = cs } return m.sessionsStore From 5c636f3ca8466481e328b6915cf1075b9cf53a2c Mon Sep 17 00:00:00 2001 From: zepatrik <11patti1@gmx.de> Date: Fri, 20 Mar 2020 19:25:01 +0100 Subject: [PATCH 2/3] always update SameSite setting to support hot reloading --- driver/registry_default.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/driver/registry_default.go b/driver/registry_default.go index 55a592b46bd5..da797b6f6801 100644 --- a/driver/registry_default.go +++ b/driver/registry_default.go @@ -69,7 +69,7 @@ type RegistryDefault struct { schemaHandler *schema.Handler sessionHandler *session.Handler - sessionsStore sessions.Store + sessionsStore *sessions.CookieStore sessionManager session.Manager passwordHasher password2.Hasher @@ -277,9 +277,9 @@ func (m *RegistryDefault) CookieManager() sessions.Store { cs := sessions.NewCookieStore(m.c.SessionSecrets()...) cs.Options.Secure = !m.c.IsInsecureDevMode() cs.Options.HttpOnly = true - cs.Options.SameSite = m.c.SessionSameSiteMode() m.sessionsStore = cs } + m.sessionsStore.Options.SameSite = m.c.SessionSameSiteMode() return m.sessionsStore } From 9ba107192ae979579d9b9226f917f04dfb28cf5c Mon Sep 17 00:00:00 2001 From: aeneasr Date: Fri, 20 Mar 2020 18:32:30 +0000 Subject: [PATCH 3/3] chore: Regenerate swagger spec and internal client --- internal/httpclient/client/common/get_schema_parameters.go | 3 +-- internal/httpclient/client/common/get_schema_responses.go | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/internal/httpclient/client/common/get_schema_parameters.go b/internal/httpclient/client/common/get_schema_parameters.go index f230212d06e2..fdf8a692485d 100644 --- a/internal/httpclient/client/common/get_schema_parameters.go +++ b/internal/httpclient/client/common/get_schema_parameters.go @@ -13,8 +13,7 @@ import ( "github.com/go-openapi/errors" "github.com/go-openapi/runtime" cr "github.com/go-openapi/runtime/client" - - strfmt "github.com/go-openapi/strfmt" + "github.com/go-openapi/strfmt" ) // NewGetSchemaParams creates a new GetSchemaParams object diff --git a/internal/httpclient/client/common/get_schema_responses.go b/internal/httpclient/client/common/get_schema_responses.go index d0ed4b6edfb5..7b35f518d7b7 100644 --- a/internal/httpclient/client/common/get_schema_responses.go +++ b/internal/httpclient/client/common/get_schema_responses.go @@ -10,8 +10,7 @@ import ( "io" "github.com/go-openapi/runtime" - - strfmt "github.com/go-openapi/strfmt" + "github.com/go-openapi/strfmt" "github.com/ory/kratos/internal/httpclient/models" )