Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature/cookie flags #119

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

Feature/cookie flags #119

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
db7a118
change auth in logout
wojtekolesinski Jul 31, 2023
65cea01
remove dead code
wojtekolesinski Aug 2, 2023
cb8ae53
server: Introduce support for HttpOnly and Secure attributes in sessi…
wojtekolesinski Jul 27, 2023
7ef11d4
redo automatic reformat
wojtekolesinski Aug 2, 2023
1d53e97
redo automatic reformat
wojtekolesinski Aug 2, 2023
ca8ca3e
change logout flow
wojtekolesinski Aug 2, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,8 @@ Session store-related settings:
| `OIDC_STATE_STORE_PATH` | "/var/lib/authservice/oidc_state.db" | Path to the session store used to save the sessions for the OIDC state parameter. |
| `SESSION_MAX_AGE` | "86400" | Time in seconds after which sessions expire. Defaults to a day (24h). |
| `SESSION_SAME_SITE` | "Lax" | SameSite attribute of the session cookie. Check details of SameSite attribute [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite). Its value can be "None", "Lax" or "Strict". |
| `SESSION_HTTP_ONLY` | `false` | HttpOnly attribute of the session cookie. Check details of SameSite attribute [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#attributes). Its value can be "true" or "false". |
| `SESSION_SECURE` | `false` | Secure attribute of the session cookie. Check details of SameSite attribute [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#attributes). Its value can be "true" or "false". |
| `SESSION_STORE_TYPE`| "boltdb" | Set `SESSION_STORE_TYPE` to either "boltdb" to use BoltDB as the session store, or "redis" to use redis as the session store. Note that only one of the two can be used, also if you select redis then depending on your redis configurations then you might need to set the password and the number of the database that OIDC-AuthService will use as a [redis-client](https://redis.uptrace.dev/guide/go-redis.html#connecting-to-redis-server).|
| `SESSION_STORE_REDIS_ADDR`| "127.0.0.1:6379" | Set the `host:port` address for the redis session store. |
| `SESSION_STORE_REDIS_PWD`| "" | Set the password to connect with the redis session store. |
Expand Down
2 changes: 2 additions & 0 deletions common/settings.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,8 @@ type Config struct {
SessionStoreRedisDB int `split_words:"true" default:"0" envconfig:"SESSION_STORE_REDIS_DB"`
SessionMaxAge int `split_words:"true" default:"86400"`
SessionSameSite string `split_words:"true" default:"Lax"`
SessionHttpOnly bool `split_words:"true" default:"false"`
SessionSecure bool `split_words:"true" default:"false"`

// Site
ClientName string `split_words:"true" default:"AuthService"`
Expand Down
2 changes: 2 additions & 0 deletions main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -218,6 +218,8 @@ func main() {
},
userIdTransformer: c.UserIDTransformer,
sessionMaxAgeSeconds: c.SessionMaxAge,
sessionHttpOnly: c.SessionHttpOnly,
sessionSecure: c.SessionSecure,
strictSessionValidation: c.StrictSessionValidation,
cacheEnabled: c.CacheEnabled,
cacheExpirationMinutes: c.CacheExpirationMinutes,
Expand Down
16 changes: 6 additions & 10 deletions server.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,8 @@ type server struct {
userIdTransformer common.UserIDTransformer
caBundle []byte
sessionSameSite http.SameSite
sessionHttpOnly bool
sessionSecure bool
}

// authenticate_or_login calls initiates the Authorization Code Flow if the user
Expand Down Expand Up @@ -400,6 +402,8 @@ func (s *server) callback(w http.ResponseWriter, r *http.Request) {
session.Options.Path = "/"
// Extra layer of CSRF protection
session.Options.SameSite = s.sessionSameSite
session.Options.HttpOnly = s.sessionHttpOnly
session.Options.Secure = s.sessionSecure

userID, ok := claims[s.idTokenOpts.UserIDClaim].(string)
if !ok {
Expand Down Expand Up @@ -469,22 +473,14 @@ func (s *server) logout(w http.ResponseWriter, r *http.Request) {

logger := common.RequestLogger(r, logModuleInfo)

// Only header auth allowed for this endpoint
sessionID := common.GetBearerToken(r.Header.Get(s.authHeader))
if sessionID == "" {
logger.Errorf("Request doesn't have a session value in header '%s'", s.authHeader)
w.WriteHeader(http.StatusUnauthorized)
return
}

// Revoke user session.
session, err := sessions.SessionFromID(sessionID, s.store)
session, authMethod, err := sessions.SessionFromRequest(r, s.store, sessions.UserSessionCookie, s.authHeader)
if err != nil {
logger.Errorf("Couldn't get user session: %v", err)
w.WriteHeader(http.StatusInternalServerError)
return
}
if session.IsNew {
if authMethod == "" {
logger.Warn("Request doesn't have a valid session.")
w.WriteHeader(http.StatusUnauthorized)
return
Expand Down