always set httponly (there is no good reason not to); simplify httponly and expire flags

README.md

@@ -50,8 +50,10 @@ Usage of ./google_auth_proxy:
   -client-id="": the Google OAuth Client ID: ie: "123456.apps.googleusercontent.com"
   -client-secret="": the OAuth Client Secret
   -cookie-domain="": an optional cookie domain to force cookies to
+  -cookie-expire=168h: expire timeframe for cookie
+  -cookie-https-only=false: set HTTPS only cookie
   -cookie-secret="": the seed string for secure cookies
-  -google-apps-domain="": authenticate against the given google apps domain
+  -google-apps-domain=[]: authenticate against the given google apps domain (may be given multiple times)
   -htpasswd-file="": additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -s" for SHA encryption
   -http-address="127.0.0.1:4180": <addr>:<port> to listen on for HTTP clients
   -pass-basic-auth=true: pass HTTP Basic Auth information to upstream
@@ -98,6 +100,7 @@ The command line to run `google_auth_proxy` would look like this:
    --google-apps-domain="yourcompany.com"  \
    --upstream=http://127.0.0.1:8080/ \
    --cookie-secret=... \
+   --cookie-secure=true \
    --client-id=... \
    --client-secret=...
 ```
@@ -108,9 +111,9 @@ The environment variables `google_auth_client_id`, `google_auth_secret` and `goo
 
 ## Endpoint Documentation
 
-Google auth proxy responds directly to the following endpoints. All other endpoints will be authenticated.
+Google Auth Proxy responds directly to the following endpoints. All other endpoints will be authenticated.
 
 * /ping - returns an 200 OK response
 * /oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies)
-* /oauth2/start - a URL that will redirect to start the oauth cycle
+* /oauth2/start - a URL that will redirect to start the OAuth cycle
-* /oauth2/callback - the URL used at the end of the oauth cycle
+* /oauth2/callback - the URL used at the end of the OAuth cycle

main.go

@@ -9,6 +9,7 @@ import (
 	"net/url"
 	"os"
 	"strings"
+	"time"
 )
 
 const VERSION = "0.1.0"
@@ -23,8 +24,8 @@ var (
 	htpasswdFile            = flag.String("htpasswd-file", "", "additionally authenticate against a htpasswd file. Entries must be created with \"htpasswd -s\" for SHA encryption")
 	cookieSecret            = flag.String("cookie-secret", "", "the seed string for secure cookies")
 	cookieDomain            = flag.String("cookie-domain", "", "an optional cookie domain to force cookies to")
-	cookieExpire            = flag.Int("cookie-expire", 168 * 60, "expire time for cookie")
+	cookieExpire            = flag.Duration("cookie-expire", time.Duration(168)*time.Hour, "expire timeframe for cookie")
-	cookieSecure            = flag.Bool("cookie-secure", false, "HTTPS only cookie")
+	cookieHttpsOnly         = flag.Bool("cookie-https-only", false, "set HTTPS only cookie")
 	authenticatedEmailsFile = flag.String("authenticated-emails-file", "", "authenticate against emails via file (one per line)")
 	googleAppsDomains       = StringArray{}
 	upstreams               = StringArray{}

oauthproxy.go

@@ -184,27 +184,14 @@ func (p *OauthProxy) SetCookie(rw http.ResponseWriter, req *http.Request, val st
 	if *cookieDomain != "" && strings.HasSuffix(domain, *cookieDomain) {
 		domain = *cookieDomain
 	}
-	need_expire := true
-	expire := time.Now().Add(time.Duration(*cookieExpire))
-	if *cookieExpire == 0 {
-		need_expire = false
-	}
-	http_only := true
-	secure := false
-	if *cookieSecure {
-		http_only = false
-		secure = true
-	}
 	cookie := &http.Cookie{
 		Name:     p.CookieKey,
 		Value:    signedCookieValue(p.CookieSeed, p.CookieKey, val),
 		Path:     "/",
 		Domain:   domain,
-		HttpOnly: http_only,
+		HttpOnly: true,
-		Secure:   secure,
+		Secure:   *cookieHttpsOnly,
-	}
+		Expires:  time.Now().Add(*cookieExpire),
-	if need_expire {
-		cookie.Expires = expire
 	}
 	http.SetCookie(rw, cookie)
 }