Add sameSiteNoneForInsecure option
This commit is contained in:
parent
064e8d8a97
commit
8363b26922
3 changed files with 20 additions and 8 deletions
|
|
@ -27,6 +27,9 @@ auth:
|
||||||
# this allows the JWT cookie to be served over plain HTTP only for these Host: header values
|
# this allows the JWT cookie to be served over plain HTTP only for these Host: header values
|
||||||
allowInsecureFor:
|
allowInsecureFor:
|
||||||
"localhost": true
|
"localhost": true
|
||||||
|
# this instead changes the meaning of allowInsecureFor to the cookie being marked
|
||||||
|
# Secure, but SameSite will be set to None
|
||||||
|
sameSiteNoneForInsecure: false
|
||||||
listen: ':3050'
|
listen: ':3050'
|
||||||
public: true
|
public: true
|
||||||
log:
|
log:
|
||||||
|
|
|
||||||
|
|
@ -145,6 +145,16 @@ func (a *Auth) allowInsecureCookie(r *http.Request) bool {
|
||||||
return has && v
|
return has && v
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (a *Auth) setInsecureCookie(cookie *http.Cookie) {
|
||||||
|
if a.cfg.SameSiteNoneWhenInsecure {
|
||||||
|
cookie.Secure = true
|
||||||
|
cookie.SameSite = http.SameSiteNoneMode
|
||||||
|
} else {
|
||||||
|
cookie.Secure = false
|
||||||
|
cookie.SameSite = http.SameSiteLaxMode
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
func (a *Auth) routeRefresh(w http.ResponseWriter, r *http.Request) {
|
func (a *Auth) routeRefresh(w http.ResponseWriter, r *http.Request) {
|
||||||
jwToken, _, err := jwtauth.FromContext(r.Context())
|
jwToken, _, err := jwtauth.FromContext(r.Context())
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
@ -174,8 +184,7 @@ func (a *Auth) routeRefresh(w http.ResponseWriter, r *http.Request) {
|
||||||
}
|
}
|
||||||
|
|
||||||
if a.allowInsecureCookie(r) {
|
if a.allowInsecureCookie(r) {
|
||||||
cookie.Secure = false
|
a.setInsecureCookie(cookie)
|
||||||
cookie.SameSite = http.SameSiteLaxMode
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if cookie.Secure {
|
if cookie.Secure {
|
||||||
|
|
@ -236,8 +245,7 @@ func (a *Auth) routeAuth(w http.ResponseWriter, r *http.Request) {
|
||||||
|
|
||||||
cookie.Domain = r.Host
|
cookie.Domain = r.Host
|
||||||
if a.allowInsecureCookie(r) {
|
if a.allowInsecureCookie(r) {
|
||||||
cookie.Secure = false
|
a.setInsecureCookie(cookie)
|
||||||
cookie.SameSite = http.SameSiteLaxMode
|
|
||||||
}
|
}
|
||||||
|
|
||||||
http.SetCookie(w, cookie)
|
http.SetCookie(w, cookie)
|
||||||
|
|
@ -263,8 +271,8 @@ func (a *Auth) routeLogout(w http.ResponseWriter, r *http.Request) {
|
||||||
|
|
||||||
cookie.Domain = r.Host
|
cookie.Domain = r.Host
|
||||||
if a.allowInsecureCookie(r) {
|
if a.allowInsecureCookie(r) {
|
||||||
cookie.Secure = false
|
cookie.Secure = true
|
||||||
cookie.SameSite = http.SameSiteLaxMode
|
cookie.SameSite = http.SameSiteNoneMode
|
||||||
}
|
}
|
||||||
|
|
||||||
http.SetCookie(w, cookie)
|
http.SetCookie(w, cookie)
|
||||||
|
|
|
||||||
|
|
@ -32,6 +32,7 @@ type Config struct {
|
||||||
type Auth struct {
|
type Auth struct {
|
||||||
JWTSecret string `yaml:"jwtsecret"`
|
JWTSecret string `yaml:"jwtsecret"`
|
||||||
AllowInsecure map[string]bool `yaml:"allowInsecureFor"`
|
AllowInsecure map[string]bool `yaml:"allowInsecureFor"`
|
||||||
|
SameSiteNoneWhenInsecure bool `yaml:"sameSiteNoneForInsecure"`
|
||||||
}
|
}
|
||||||
|
|
||||||
type CORS struct {
|
type CORS struct {
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue