public_git
/
oauth2-proxy
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #376 from reedloden/make-cookie-domain-optional 

Don't set the cookie domain to the host by default, as it breaks Cookie Prefixes
This commit is contained in:
Jehiah Czebotar 2017-10-23 14:14:45 -04:00 committed by GitHub
parent bc1b839f7f b6bd878f27
commit bfda078caa
2 changed files with 7 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -175,7 +175,7 @@ Usage of oauth2_proxy:
-client-id string: the OAuth Client ID: ie: "123456.apps.googleusercontent.com" -client-id string: the OAuth Client ID: ie: "123456.apps.googleusercontent.com"
-client-secret string: the OAuth Client Secret -client-secret string: the OAuth Client Secret
-config string: path to config file -config string: path to config file
-cookie-domain string: an optional cookie domain to force cookies to (ie: .yourcompany.com)* -cookie-domain string: an optional cookie domain to force cookies to (ie: .yourcompany.com)
-cookie-expire duration: expire timeframe for cookie (default 168h0m0s) -cookie-expire duration: expire timeframe for cookie (default 168h0m0s)
-cookie-httponly: set HttpOnly cookie flag (default true) -cookie-httponly: set HttpOnly cookie flag (default true)
-cookie-name string: the name of the cookie that the oauth_proxy creates (default "_oauth2_proxy") -cookie-name string: the name of the cookie that the oauth_proxy creates (default "_oauth2_proxy")

11
oauthproxy.go
View File

@ -155,16 +155,12 @@ func NewOAuthProxy(opts *Options, validator func(string) bool) *OAuthProxy {
redirectURL.Path = fmt.Sprintf("%s/callback", opts.ProxyPrefix) redirectURL.Path = fmt.Sprintf("%s/callback", opts.ProxyPrefix)
log.Printf("OAuthProxy configured for %s Client ID: %s", opts.provider.Data().ProviderName, opts.ClientID) log.Printf("OAuthProxy configured for %s Client ID: %s", opts.provider.Data().ProviderName, opts.ClientID)
domain := opts.CookieDomain
if domain == "" {
domain = "<default>"
}
refresh := "disabled" refresh := "disabled"
if opts.CookieRefresh != time.Duration(0) { if opts.CookieRefresh != time.Duration(0) {
refresh = fmt.Sprintf("after %s", opts.CookieRefresh) refresh = fmt.Sprintf("after %s", opts.CookieRefresh)
} }
log.Printf("Cookie settings: name:%s secure(https):%v httponly:%v expiry:%s domain:%s refresh:%s", opts.CookieName, opts.CookieSecure, opts.CookieHttpOnly, opts.CookieExpire, domain, refresh) log.Printf("Cookie settings: name:%s secure(https):%v httponly:%v expiry:%s domain:%s refresh:%s", opts.CookieName, opts.CookieSecure, opts.CookieHttpOnly, opts.CookieExpire, opts.CookieDomain, refresh)
var cipher *cookie.Cipher var cipher *cookie.Cipher
if opts.PassAccessToken || (opts.CookieRefresh != time.Duration(0)) { if opts.PassAccessToken || (opts.CookieRefresh != time.Duration(0)) {
@ -267,22 +263,21 @@ func (p *OAuthProxy) MakeCSRFCookie(req *http.Request, value string, expiration
} }
func (p *OAuthProxy) makeCookie(req *http.Request, name string, value string, expiration time.Duration, now time.Time) *http.Cookie { func (p *OAuthProxy) makeCookie(req *http.Request, name string, value string, expiration time.Duration, now time.Time) *http.Cookie {
if p.CookieDomain != "" {
domain := req.Host domain := req.Host
if h, _, err := net.SplitHostPort(domain); err == nil { if h, _, err := net.SplitHostPort(domain); err == nil {
domain = h domain = h
} }
if p.CookieDomain != "" {
if !strings.HasSuffix(domain, p.CookieDomain) { if !strings.HasSuffix(domain, p.CookieDomain) {
log.Printf("Warning: request host is %q but using configured cookie domain of %q", domain, p.CookieDomain) log.Printf("Warning: request host is %q but using configured cookie domain of %q", domain, p.CookieDomain)
} }
domain = p.CookieDomain
} }
return &http.Cookie{ return &http.Cookie{
Name: name, Name: name,
Value: value, Value: value,
Path: "/", Path: "/",
Domain: domain, Domain: p.CookieDomain,
HttpOnly: p.CookieHttpOnly, HttpOnly: p.CookieHttpOnly,
Secure: p.CookieSecure, Secure: p.CookieSecure,
Expires: now.Add(expiration), Expires: now.Add(expiration),