Fixes deletion of splitted cookies - Issue #69 (#70)

* fixes deletion of splitted cookies * three minor adjustments to improve the tests * changed cookie name matching to regex * Update oauthproxy.go Co-Authored-By: einfachchr <einfachchr@gmail.com> * removed unused variable * Changelog
2019-03-15 08:18:37 +01:00 · 2019-03-15 08:18:37 +01:00 · f715c9371b
parent cfd1fd83bd
commit f715c9371b
3 changed files with 57 additions and 3 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -2,6 +2,7 @@

 ## Changes since v3.1.0

+- [#70](https://github.com/pusher/oauth2_proxy/pull/70) Fix handling of splitted cookies (@einfachchr)
 - [#92](https://github.com/pusher/oauth2_proxy/pull/92) Merge websocket proxy feature from openshift/oauth-proxy (@butzist)
 - [#57](https://github.com/pusher/oauth2_proxy/pull/57) Fall back to using OIDC Subject instead of Email (@aigarius)
 - [#85](https://github.com/pusher/oauth2_proxy/pull/85) Use non-root user in docker images (@kskewes)
--- a/oauthproxy.go
+++ b/oauthproxy.go
@ -452,9 +452,18 @@ func (p *OAuthProxy) SetCSRFCookie(rw http.ResponseWriter, req *http.Request, va
 // ClearSessionCookie creates a cookie to unset the user's authentication cookie
 // stored in the user's session
 func (p *OAuthProxy) ClearSessionCookie(rw http.ResponseWriter, req *http.Request) {
-	cookies := p.MakeSessionCookie(req, "", time.Hour*-1, time.Now())
-	for _, clr := range cookies {
-		http.SetCookie(rw, clr)
+	var cookies []*http.Cookie
+
+	// matches CookieName, CookieName_<number>
+	var cookieNameRegex = regexp.MustCompile(fmt.Sprintf("^%s(_\\d+)?$", p.CookieName))
+
+	for _, c := range req.Cookies() {
+		if cookieNameRegex.MatchString(c.Name) {
+			clearCookie := p.makeCookie(req, c.Name, "", time.Hour*-1, time.Now())
+
+			http.SetCookie(rw, clearCookie)
+			cookies = append(cookies, clearCookie)
+		}
 	}

 	// ugly hack because default domain changed
--- a/oauthproxy_test.go
+++ b/oauthproxy_test.go
@ -1064,3 +1064,47 @@ func TestAjaxForbiddendRequest(t *testing.T) {
 	mime := rh.Get("Content-Type")
 	assert.NotEqual(t, applicationJSON, mime)
 }
+
+func TestClearSplitCookie(t *testing.T) {
+	p := OAuthProxy{CookieName: "oauth2", CookieDomain: "abc"}
+	var rw = httptest.NewRecorder()
+	req := httptest.NewRequest("get", "/", nil)
+
+	req.AddCookie(&http.Cookie{
+		Name:  "test1",
+		Value: "test1",
+	})
+	req.AddCookie(&http.Cookie{
+		Name:  "oauth2_0",
+		Value: "oauth2_0",
+	})
+	req.AddCookie(&http.Cookie{
+		Name:  "oauth2_1",
+		Value: "oauth2_1",
+	})
+
+	p.ClearSessionCookie(rw, req)
+	header := rw.Header()
+
+	assert.Equal(t, 2, len(header["Set-Cookie"]), "should have 3 set-cookie header entries")
+}
+
+func TestClearSingleCookie(t *testing.T) {
+	p := OAuthProxy{CookieName: "oauth2", CookieDomain: "abc"}
+	var rw = httptest.NewRecorder()
+	req := httptest.NewRequest("get", "/", nil)
+
+	req.AddCookie(&http.Cookie{
+		Name:  "test1",
+		Value: "test1",
+	})
+	req.AddCookie(&http.Cookie{
+		Name:  "oauth2",
+		Value: "oauth2",
+	})
+
+	p.ClearSessionCookie(rw, req)
+	header := rw.Header()
+
+	assert.Equal(t, 1, len(header["Set-Cookie"]), "should have 1 set-cookie header entries")
+}