go/oauth2-proxy
1
0
Fork 0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2025-06-25 00:47:17 +02:00
Code Issues Releases Activity
Files
cookie-builder
oauth2-proxy/pkg/cookies/cookies.go

56 lines
1.4 KiB
Go
Raw Permalink Normal View History

Implement ClearSession for cookie SessionStore
2019-05-07 00:20:36 +01:00
package cookies
import (
Add configuration for cookie 'SameSite' value. Values of 'lax' and 'strict' can improve and mitigate some categories of cross-site traffic tampering. Given that the nature of this proxy is often to proxy private tools, this is useful to take advantage of. See: https://www.owasp.org/index.php/SameSite
2019-12-16 13:10:04 -05:00
"fmt"
Implement ClearSession for cookie SessionStore
2019-05-07 00:20:36 +01:00
"net"
"net/http"
"strings"
Fix import path for v7 (#800) * fix import path for v7 find ./ -name "*.go" | xargs sed -i -e 's|"github.com/oauth2-proxy/oauth2-proxy|"github.com/oauth2-proxy/oauth2-proxy/v7|' * fix module path * go mod tidy * fix installation docs * update CHANGELOG * Update CHANGELOG.md Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-09-30 01:44:42 +09:00
"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger"
Refactor organization of scope aware request utils Reorganized the structure of the Request Utils due to their widespread use resulting in circular imports issues (mostly because of middleware & logger).
2021-01-02 13:16:01 -08:00
requestutil "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/requests/util"
Implement ClearSession for cookie SessionStore
2019-05-07 00:20:36 +01:00
)
Allow multiple cookie domains to be specified (#412) * Allow multiple cookie domains to be specified * Use X-Forwarded-Host, if it exists, when selecting cookie domain * Perform cookie domain sorting in config validation phase * Extract get domain cookies to a single function * Update pkg/cookies/cookies.go Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk> * Update changelog Co-authored-by: Marcos Lilljedahl <marcosnils@gmail.com> Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-04-12 04:00:44 -07:00
// GetCookieDomain returns the correct cookie domain given a list of domains
// by checking the X-Fowarded-Host and host header of an an http request
func GetCookieDomain(req *http.Request, cookieDomains []string) string {
Refactor organization of scope aware request utils Reorganized the structure of the Request Utils due to their widespread use resulting in circular imports issues (mostly because of middleware & logger).
2021-01-02 13:16:01 -08:00
host := requestutil.GetRequestHost(req)
Allow multiple cookie domains to be specified (#412) * Allow multiple cookie domains to be specified * Use X-Forwarded-Host, if it exists, when selecting cookie domain * Perform cookie domain sorting in config validation phase * Extract get domain cookies to a single function * Update pkg/cookies/cookies.go Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk> * Update changelog Co-authored-by: Marcos Lilljedahl <marcosnils@gmail.com> Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-04-12 04:00:44 -07:00
for _, domain := range cookieDomains {
if strings.HasSuffix(host, domain) {
return domain
}
}
return ""
}
Add configuration for cookie 'SameSite' value. Values of 'lax' and 'strict' can improve and mitigate some categories of cross-site traffic tampering. Given that the nature of this proxy is often to proxy private tools, this is useful to take advantage of. See: https://www.owasp.org/index.php/SameSite
2019-12-16 13:10:04 -05:00
// Parse a valid http.SameSite value from a user supplied string for use of making cookies.
func ParseSameSite(v string) http.SameSite {
switch v {
case "lax":
return http.SameSiteLaxMode
case "strict":
return http.SameSiteStrictMode
case "none":
return http.SameSiteNoneMode
case "":
Update go version to 1.16 This includes a fix for our samesite cookie parsing. The behaviour changed in 1.16 so that the default value now leaves it empty, so it's equivalent to not setting it (as per spec)
2021-02-17 20:59:46 +00:00
return 0
Add configuration for cookie 'SameSite' value. Values of 'lax' and 'strict' can improve and mitigate some categories of cross-site traffic tampering. Given that the nature of this proxy is often to proxy private tools, this is useful to take advantage of. See: https://www.owasp.org/index.php/SameSite
2019-12-16 13:10:04 -05:00
default:
panic(fmt.Sprintf("Invalid value for SameSite: %s", v))
}
Simplify cookie creation form *options.CookieOptions
2019-05-13 16:01:28 +01:00
}
Support nonce checks in OIDC Provider (#967) * Set and verify a nonce with OIDC * Create a CSRF object to manage nonces & cookies * Add missing generic cookie unit tests * Add config flag to control OIDC SkipNonce * Send hashed nonces in authentication requests * Encrypt the CSRF cookie * Add clarity to naming & add more helper methods * Make CSRF an interface and keep underlying nonces private * Add ReverseProxy scope to cookie tests * Align to new 1.16 SameSite cookie default * Perform SecretBytes conversion on CSRF cookie crypto * Make state encoding signatures consistent * Mock time in CSRF struct via Clock * Improve InsecureSkipNonce docstring
2021-04-21 02:33:27 -07:00
// warnInvalidDomain logs a warning if the request host and cookie domain are
// mismatched.
func warnInvalidDomain(c *http.Cookie, req *http.Request) {
if c.Domain == "" {
return
}
host := requestutil.GetRequestHost(req)
if h, _, err := net.SplitHostPort(host); err == nil {
host = h
}
if !strings.HasSuffix(host, c.Domain) {
logger.Errorf("Warning: request host is %q but using configured cookie domain of %q", host, c.Domain)
}
}
Reference in New Issue Copy Permalink