fix: use GetSecret() in ticket.go makeCookie to respect cookie-secret-file (#3228)

* fix: use GetSecret() in ticket.go makeCookie The makeCookie method in ticket.go was using t.options.Secret directly, which meant cookie-secret-file was not being respected. Updated to use GetSecret() which handles both cookie-secret and cookie-secret-file properly. Also added test coverage for cookie-secret-file functionality. Fixes #3224 Signed-off-by: stagswtf <142280349+stagswtf@users.noreply.github.com> * docs: update CHANGELOG.md for cookie-secret-file fix Signed-off-by: stagswtf <142280349+stagswtf@users.noreply.github.com> * correct PR link and undo file formatting Signed-off-by: stagswtf <142280349+stagswtf@users.noreply.github.com> * fix: error wrapping Signed-off-by: Jan Larwig <jan@larwig.com> --------- Signed-off-by: stagswtf <142280349+stagswtf@users.noreply.github.com> Signed-off-by: Jan Larwig <jan@larwig.com> Co-authored-by: Jan Larwig <jan@larwig.com>
2025-10-28 00:37:25 -07:00 · 2025-10-28 00:37:25 -07:00 · 51e80f24ef
parent c0a087d7f2
commit 51e80f24ef
3 changed files with 48 additions and 4 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -8,6 +8,8 @@
 ## Changes since v7.12.0
 - [#3228](https://github.com/oauth2-proxy/oauth2-proxy/pull/3228) fix: use GetSecret() in ticket.go makeCookie to respect cookie-secret-file (@stagswtf)
 # V7.12.0
 ## Release Highlights
@ -119,7 +121,7 @@ For detailed information, migration guidance, and security implications, see the
 - 🕵️‍♀️ Vulnerabilities have been addressed
  - [CVE-2025-22871](https://github.com/advisories/GHSA-g9pc-8g42-g6vq)
 - 🐛 Squashed some bugs
-  
+
 ## Important Notes
 ## Breaking Changes
--- a/pkg/sessions/persistence/ticket.go
+++ b/pkg/sessions/persistence/ticket.go
@ -233,12 +233,17 @@ func (t *ticket) clearCookie(rw http.ResponseWriter, req *http.Request) {
 // makeCookie makes a cookie, signing the value if present
 func (t *ticket) makeCookie(req *http.Request, value string, expires time.Duration, now time.Time) (*http.Cookie, error) {
 	if value != "" {
-		var err error
+		secret, err := t.options.GetSecret()
 		value, err = encryption.SignedValue(t.options.Secret, t.options.Name, []byte(value), now)
 		if err != nil {
-			return nil, err
+			return nil, fmt.Errorf("retrieving secret failed: %w", err)
 		}
 		value, err = encryption.SignedValue(secret, t.options.Name, []byte(value), now)
 		if err != nil {
 			return nil, fmt.Errorf("signing cookie value failed: %w", err)
 		}
 	}
 	return cookies.MakeCookieFromOptions(
 		req,
 		t.options.Name,
--- a/pkg/sessions/tests/session_store_tests.go
+++ b/pkg/sessions/tests/session_store_tests.go
@ -4,6 +4,7 @@ import (
 	"crypto/rand"
 	"net/http"
 	"net/http/httptest"
 	"os"
 	"strconv"
 	"strings"
 	"time"
@ -133,6 +134,42 @@ func RunSessionStoreTests(newSS NewSessionStoreFunc, persistentFastForward Persi
 				PersistentSessionStoreInterfaceTests(&input)
 			}
 		})
 		Context("with cookie secret file", func() {
 			var tmpfile *os.File
 			var err error
 			BeforeEach(func() {
 				tmpfile, err = os.CreateTemp("", "cookie-secret-test")
 				secretBytes := make([]byte, 32)
 				tmpfile.Write(secretBytes)
 				tmpfile.Close()
 				input.cookieOpts = &options.Cookie{
 					Name:       "_oauth2_proxy_file",
 					Path:       "/",
 					Expire:     time.Duration(168) * time.Hour,
 					Refresh:    time.Duration(1) * time.Hour,
 					Secure:     true,
 					HTTPOnly:   true,
 					SameSite:   "",
 					Secret:     "",
 					SecretFile: tmpfile.Name(),
 				}
 				ss, err = newSS(opts, input.cookieOpts)
 				Expect(err).ToNot(HaveOccurred())
 			})
 			AfterEach(func() {
 				if tmpfile != nil {
 					os.Remove(tmpfile.Name())
 				}
 			})
 			SessionStoreInterfaceTests(&input)
 			if persistentFastForward != nil {
 				PersistentSessionStoreInterfaceTests(&input)
 			}
 		})
 	})
 }