Skip to content

Commit

Permalink
feat: allow overriding cookie domain for session (#285)
Browse files Browse the repository at this point in the history
Signed-off-by: Kush Sharma <[email protected]>
  • Loading branch information
kushsharma authored Jul 31, 2023
1 parent 201a522 commit 2738405
Show file tree
Hide file tree
Showing 6 changed files with 14 additions and 3 deletions.
5 changes: 4 additions & 1 deletion .dockerignore
Original file line number Diff line number Diff line change
Expand Up @@ -6,4 +6,7 @@ LICENSE
test
.idea/
temp/
vendor/
vendor/
config.yml
coverage.out
resource_config
2 changes: 2 additions & 0 deletions config/config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,8 @@ app:
hash_secret_key: "hash-secret-should-be-32-chars--"
# block helps in encryption
block_secret_key: "block-secret-should-be-32-chars-"
# domain used for setting cookies, if not set defaults to request origin host
domain: ""
# once authenticated, server responds with a jwt with user context
# this jwt works as a bearer access token for all APIs
token:
Expand Down
1 change: 1 addition & 0 deletions core/authenticate/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ type TokenConfig struct {
type SessionConfig struct {
HashSecretKey string `mapstructure:"hash_secret_key" yaml:"hash_secret_key" default:"hash-secret-should-be-32-chars--"`
BlockSecretKey string `mapstructure:"block_secret_key" yaml:"block_secret_key" default:"block-secret-should-be-32-chars-"`
Domain string `mapstructure:"domain" yaml:"domain" default:""`
}

type OIDCConfig struct {
Expand Down
2 changes: 2 additions & 0 deletions docs/docs/reference/configurations.md
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,8 @@ app:
hash_secret_key: "hash-secret-should-be-32-chars--"
# block helps in encryption
block_secret_key: "block-secret-should-be-32-chars-"
# domain used for setting cookies, if not set defaults to request origin host
domain: ""
# once authenticated, server responds with a jwt with user context
# this jwt works as a bearer access token for all APIs
token:
Expand Down
5 changes: 4 additions & 1 deletion pkg/server/interceptors/session.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,9 +23,10 @@ type Session struct {
// TODO(kushsharma): server should be able to rotate encryption keys of codec
// use secure cookie EncodeMulti/DecodeMulti
cookieCodec securecookie.Codec
domain string
}

func NewSession(cookieCutter securecookie.Codec) *Session {
func NewSession(cookieCutter securecookie.Codec, domain string) *Session {
return &Session{
// could be nil if not configured by user
cookieCodec: cookieCutter,
Expand Down Expand Up @@ -53,6 +54,7 @@ func (h Session) GatewayResponseModifier(ctx context.Context, w http.ResponseWri
// put session id in request cookies
if encoded, err := h.cookieCodec.Encode(consts.SessionRequestKey, sessionIDFromGateway); err == nil {
http.SetCookie(w, &http.Cookie{
Domain: h.domain,
Name: consts.SessionRequestKey,
Value: encoded,
Path: "/",
Expand All @@ -74,6 +76,7 @@ func (h Session) GatewayResponseModifier(ctx context.Context, w http.ResponseWri

// clear session from request
http.SetCookie(w, &http.Cookie{
Domain: h.domain,
Name: consts.SessionRequestKey,
Value: "",
Path: "/",
Expand Down
2 changes: 1 addition & 1 deletion pkg/server/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,7 @@ func Serve(
[]byte(cfg.Authentication.Session.BlockSecretKey),
)
}
sessionMiddleware := interceptors.NewSession(sessionCookieCutter)
sessionMiddleware := interceptors.NewSession(sessionCookieCutter, cfg.Authentication.Session.Domain)

var grpcGatewayServerInterceptors []runtime.ServeMuxOption
grpcGatewayServerInterceptors = append(grpcGatewayServerInterceptors,
Expand Down

0 comments on commit 2738405

Please sign in to comment.