diff --git a/.dockerignore b/.dockerignore index 40c18f743..a45a230ef 100644 --- a/.dockerignore +++ b/.dockerignore @@ -6,4 +6,7 @@ LICENSE test .idea/ temp/ -vendor/ \ No newline at end of file +vendor/ +config.yml +coverage.out +resource_config \ No newline at end of file diff --git a/config/config.yaml b/config/config.yaml index 69ee506a2..7e90f1363 100644 --- a/config/config.yaml +++ b/config/config.yaml @@ -44,6 +44,8 @@ app: hash_secret_key: "hash-secret-should-be-32-chars--" # block helps in encryption block_secret_key: "block-secret-should-be-32-chars-" + # domain used for setting cookies, if not set defaults to request origin host + domain: "" # once authenticated, server responds with a jwt with user context # this jwt works as a bearer access token for all APIs token: diff --git a/core/authenticate/config.go b/core/authenticate/config.go index 5dd1bc28b..0b06e9235 100644 --- a/core/authenticate/config.go +++ b/core/authenticate/config.go @@ -29,6 +29,7 @@ type TokenConfig struct { type SessionConfig struct { HashSecretKey string `mapstructure:"hash_secret_key" yaml:"hash_secret_key" default:"hash-secret-should-be-32-chars--"` BlockSecretKey string `mapstructure:"block_secret_key" yaml:"block_secret_key" default:"block-secret-should-be-32-chars-"` + Domain string `mapstructure:"domain" yaml:"domain" default:""` } type OIDCConfig struct { diff --git a/docs/docs/reference/configurations.md b/docs/docs/reference/configurations.md index 9dd8958f0..b00da9b00 100644 --- a/docs/docs/reference/configurations.md +++ b/docs/docs/reference/configurations.md @@ -50,6 +50,8 @@ app: hash_secret_key: "hash-secret-should-be-32-chars--" # block helps in encryption block_secret_key: "block-secret-should-be-32-chars-" + # domain used for setting cookies, if not set defaults to request origin host + domain: "" # once authenticated, server responds with a jwt with user context # this jwt works as a bearer access token for all APIs token: diff --git a/pkg/server/interceptors/session.go b/pkg/server/interceptors/session.go index 21eddc549..69c6074a0 100644 --- a/pkg/server/interceptors/session.go +++ b/pkg/server/interceptors/session.go @@ -23,9 +23,10 @@ type Session struct { // TODO(kushsharma): server should be able to rotate encryption keys of codec // use secure cookie EncodeMulti/DecodeMulti cookieCodec securecookie.Codec + domain string } -func NewSession(cookieCutter securecookie.Codec) *Session { +func NewSession(cookieCutter securecookie.Codec, domain string) *Session { return &Session{ // could be nil if not configured by user cookieCodec: cookieCutter, @@ -53,6 +54,7 @@ func (h Session) GatewayResponseModifier(ctx context.Context, w http.ResponseWri // put session id in request cookies if encoded, err := h.cookieCodec.Encode(consts.SessionRequestKey, sessionIDFromGateway); err == nil { http.SetCookie(w, &http.Cookie{ + Domain: h.domain, Name: consts.SessionRequestKey, Value: encoded, Path: "/", @@ -74,6 +76,7 @@ func (h Session) GatewayResponseModifier(ctx context.Context, w http.ResponseWri // clear session from request http.SetCookie(w, &http.Cookie{ + Domain: h.domain, Name: consts.SessionRequestKey, Value: "", Path: "/", diff --git a/pkg/server/server.go b/pkg/server/server.go index afd467418..88e9b4b31 100644 --- a/pkg/server/server.go +++ b/pkg/server/server.go @@ -89,7 +89,7 @@ func Serve( []byte(cfg.Authentication.Session.BlockSecretKey), ) } - sessionMiddleware := interceptors.NewSession(sessionCookieCutter) + sessionMiddleware := interceptors.NewSession(sessionCookieCutter, cfg.Authentication.Session.Domain) var grpcGatewayServerInterceptors []runtime.ServeMuxOption grpcGatewayServerInterceptors = append(grpcGatewayServerInterceptors,