Add sameSiteNoneForInsecure option
This commit is contained in:
parent
064e8d8a97
commit
8363b26922
3 changed files with 20 additions and 8 deletions
|
|
@ -27,6 +27,9 @@ auth:
|
|||
# this allows the JWT cookie to be served over plain HTTP only for these Host: header values
|
||||
allowInsecureFor:
|
||||
"localhost": true
|
||||
# this instead changes the meaning of allowInsecureFor to the cookie being marked
|
||||
# Secure, but SameSite will be set to None
|
||||
sameSiteNoneForInsecure: false
|
||||
listen: ':3050'
|
||||
public: true
|
||||
log:
|
||||
|
|
|
|||
|
|
@ -145,6 +145,16 @@ func (a *Auth) allowInsecureCookie(r *http.Request) bool {
|
|||
return has && v
|
||||
}
|
||||
|
||||
func (a *Auth) setInsecureCookie(cookie *http.Cookie) {
|
||||
if a.cfg.SameSiteNoneWhenInsecure {
|
||||
cookie.Secure = true
|
||||
cookie.SameSite = http.SameSiteNoneMode
|
||||
} else {
|
||||
cookie.Secure = false
|
||||
cookie.SameSite = http.SameSiteLaxMode
|
||||
}
|
||||
}
|
||||
|
||||
func (a *Auth) routeRefresh(w http.ResponseWriter, r *http.Request) {
|
||||
jwToken, _, err := jwtauth.FromContext(r.Context())
|
||||
if err != nil {
|
||||
|
|
@ -174,8 +184,7 @@ func (a *Auth) routeRefresh(w http.ResponseWriter, r *http.Request) {
|
|||
}
|
||||
|
||||
if a.allowInsecureCookie(r) {
|
||||
cookie.Secure = false
|
||||
cookie.SameSite = http.SameSiteLaxMode
|
||||
a.setInsecureCookie(cookie)
|
||||
}
|
||||
|
||||
if cookie.Secure {
|
||||
|
|
@ -236,8 +245,7 @@ func (a *Auth) routeAuth(w http.ResponseWriter, r *http.Request) {
|
|||
|
||||
cookie.Domain = r.Host
|
||||
if a.allowInsecureCookie(r) {
|
||||
cookie.Secure = false
|
||||
cookie.SameSite = http.SameSiteLaxMode
|
||||
a.setInsecureCookie(cookie)
|
||||
}
|
||||
|
||||
http.SetCookie(w, cookie)
|
||||
|
|
@ -263,8 +271,8 @@ func (a *Auth) routeLogout(w http.ResponseWriter, r *http.Request) {
|
|||
|
||||
cookie.Domain = r.Host
|
||||
if a.allowInsecureCookie(r) {
|
||||
cookie.Secure = false
|
||||
cookie.SameSite = http.SameSiteLaxMode
|
||||
cookie.Secure = true
|
||||
cookie.SameSite = http.SameSiteNoneMode
|
||||
}
|
||||
|
||||
http.SetCookie(w, cookie)
|
||||
|
|
|
|||
|
|
@ -32,6 +32,7 @@ type Config struct {
|
|||
type Auth struct {
|
||||
JWTSecret string `yaml:"jwtsecret"`
|
||||
AllowInsecure map[string]bool `yaml:"allowInsecureFor"`
|
||||
SameSiteNoneWhenInsecure bool `yaml:"sameSiteNoneForInsecure"`
|
||||
}
|
||||
|
||||
type CORS struct {
|
||||
|
|
|
|||
Loading…
Reference in a new issue