Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add SameSite attribute to the OAuth2 state cookie #112

Merged
merged 1 commit into from
Jan 7, 2023
Merged

Add SameSite attribute to the OAuth2 state cookie #112

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions CHANGES.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,11 @@ Notable changes between releases.

## Latest

* Add `SameSite` field to the oauth2 state `CookieConfig` ([#112](https://github.com/dghubble/gologin/pull/112))
* Set `SameSiteLaxMode` in `DefaultCookieConfig` and `DebugOnlyCookieConfig`
* Raise the `MaxAge` in `DefaultCookieConfig` and `DebugOnlyCookieConfig`
* Allow 10 min for users to complete the authorization flow

## v2.3.1

* Update minimum Go version from v1.17 to v1.18 ([#116](https://github.com/dghubble/gologin/pull/116))
Expand Down
11 changes: 9 additions & 2 deletions config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
package gologin

import "net/http"

// CookieConfig configures http.Cookie creation.
type CookieConfig struct {
// Name is the desired cookie name.
Expand All @@ -21,15 +23,19 @@ type CookieConfig struct {
// Secure flag indicating to the browser that the cookie should only be
// transmitted over a TLS HTTPS connection. Recommended true in production.
Secure bool
// SameSite attribute modes indicates that a browser not send a cookie in
// cross-site requests.
SameSite http.SameSite
}

// DefaultCookieConfig configures short-lived temporary http.Cookie creation.
var DefaultCookieConfig = CookieConfig{
Name: "gologin-temporary-cookie",
Path: "/",
MaxAge: 60, // 60 seconds
MaxAge: 600, // 10 min
HTTPOnly: true,
Secure: true, // HTTPS only
SameSite: http.SameSiteLaxMode,
}

// DebugOnlyCookieConfig configures creation of short-lived temporary
Expand All @@ -38,7 +44,8 @@ var DefaultCookieConfig = CookieConfig{
var DebugOnlyCookieConfig = CookieConfig{
Name: "gologin-temporary-cookie",
Path: "/",
MaxAge: 60, // 60 seconds
MaxAge: 600, // 10 min
HTTPOnly: true,
Secure: false, // allows cookies to be send over HTTP
SameSite: http.SameSiteLaxMode,
}
1 change: 1 addition & 0 deletions internal/cookie.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ func NewCookie(config gologin.CookieConfig, value string) *http.Cookie {
MaxAge: config.MaxAge,
HttpOnly: config.HTTPOnly,
Secure: config.Secure,
SameSite: config.SameSite,
}
// IE <9 does not understand MaxAge, set Expires if MaxAge is non-zero.
if expires, ok := expiresTime(config.MaxAge); ok {
Expand Down