fix: use GetSecret() in ticket.go makeCookie

The makeCookie method in ticket.go was using t.options.Secret directly, which meant cookie-secret-file was not being respected. Updated to use GetSecret() which handles both cookie-secret and cookie-secret-file properly. Also added test coverage for cookie-secret-file functionality. Fixes #3224 Signed-off-by: stagswtf <142280349+stagswtf@users.noreply.github.com>
2025-10-09 19:26:49 +00:00 · 2025-10-09 19:26:49 +00:00 · 349d98c8a0
parent c0a087d7f2
commit 349d98c8a0
2 changed files with 42 additions and 2 deletions
--- a/pkg/sessions/persistence/ticket.go
+++ b/pkg/sessions/persistence/ticket.go
@ -233,8 +233,11 @@ func (t *ticket) clearCookie(rw http.ResponseWriter, req *http.Request) {
 // makeCookie makes a cookie, signing the value if present
 func (t *ticket) makeCookie(req *http.Request, value string, expires time.Duration, now time.Time) (*http.Cookie, error) {
 	if value != "" {
-		var err error
-		value, err = encryption.SignedValue(t.options.Secret, t.options.Name, []byte(value), now)
+		secret, err := t.options.GetSecret()
+		if err != nil {
+			return nil, err
+		}
+		value, err = encryption.SignedValue(secret, t.options.Name, []byte(value), now)
 		if err != nil {
 			return nil, err
 		}
--- a/pkg/sessions/tests/session_store_tests.go
+++ b/pkg/sessions/tests/session_store_tests.go
@ -4,6 +4,7 @@ import (
 	"crypto/rand"
 	"net/http"
 	"net/http/httptest"
+	"os"
 	"strconv"
 	"strings"
 	"time"
@ -133,6 +134,42 @@ func RunSessionStoreTests(newSS NewSessionStoreFunc, persistentFastForward Persi
 				PersistentSessionStoreInterfaceTests(&input)
 			}
 		})
+
+		Context("with cookie secret file", func() {
+			var tmpfile *os.File
+			var err error
+			BeforeEach(func() {
+				tmpfile, err = os.CreateTemp("", "cookie-secret-test")
+				secretBytes := make([]byte, 32)
+				tmpfile.Write(secretBytes)
+				tmpfile.Close()
+
+				input.cookieOpts = &options.Cookie{
+					Name:       "_oauth2_proxy_file",
+					Path:       "/",
+					Expire:     time.Duration(168) * time.Hour,
+					Refresh:    time.Duration(1) * time.Hour,
+					Secure:     true,
+					HTTPOnly:   true,
+					SameSite:   "",
+					Secret:     "",
+					SecretFile: tmpfile.Name(),
+				}
+				ss, err = newSS(opts, input.cookieOpts)
+				Expect(err).ToNot(HaveOccurred())
+			})
+
+			AfterEach(func() {
+				if tmpfile != nil {
+					os.Remove(tmpfile.Name())
+				}
+			})
+
+			SessionStoreInterfaceTests(&input)
+			if persistentFastForward != nil {
+				PersistentSessionStoreInterfaceTests(&input)
+			}
+		})
 	})
 }