support same site attribute #73

go-pkgz · Jan 6, 2021 · 8b8f5d7 · 8b8f5d7
1 parent 2f012ac
commit 8b8f5d7
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 9 deletions.
diff --git a/auth.go b/auth.go
@@ -53,7 +53,8 @@ type Opts struct {
 	XSRFHeaderKey  string // default "X-XSRF-TOKEN"
 	JWTQuery       string // default "token"
 
-	SendJWTHeader bool // if enabled send JWT as a header instead of cookie
+	SendJWTHeader  bool          // if enabled send JWT as a header instead of cookie
+	SameSiteCookie http.SameSite // limit cross-origin requests with SameSite cookie attribute
 
 	Issuer string // optional value for iss claim, usually the application name, default "go-pkgz/auth"
 

diff --git a/token/jwt.go b/token/jwt.go
@@ -63,10 +63,11 @@ type Opts struct {
 	XSRFCookieName string
 	XSRFHeaderKey  string
 	JWTQuery       string
-	AudienceReader Audience // allowed aud values
-	Issuer         string   // optional value for iss claim, usually application name
-	AudSecrets     bool     // uses different secret for differed auds. important: adds pre-parsing of unverified token
-	SendJWTHeader  bool     // if enabled send JWT as a header instead of cookie
+	AudienceReader Audience      // allowed aud values
+	Issuer         string        // optional value for iss claim, usually application name
+	AudSecrets     bool          // uses different secret for differed auds. important: adds pre-parsing of unverified token
+	SendJWTHeader  bool          // if enabled send JWT as a header instead of cookie
+	SameSite       http.SameSite // define a cookie attribute making it impossible for the browser to send this cookie cross-site
 }
 
 // NewService makes JWT service
@@ -238,11 +239,11 @@ func (j *Service) Set(w http.ResponseWriter, claims Claims) (Claims, error) {
 	}
 
 	jwtCookie := http.Cookie{Name: j.JWTCookieName, Value: tokenString, HttpOnly: true, Path: "/",
-		MaxAge: cookieExpiration, Secure: j.SecureCookies}
+		MaxAge: cookieExpiration, Secure: j.SecureCookies, SameSite: j.SameSite}
 	http.SetCookie(w, &jwtCookie)
 
 	xsrfCookie := http.Cookie{Name: j.XSRFCookieName, Value: claims.Id, HttpOnly: false, Path: "/",
-		MaxAge: cookieExpiration, Secure: j.SecureCookies}
+		MaxAge: cookieExpiration, Secure: j.SecureCookies, SameSite: j.SameSite}
 	http.SetCookie(w, &xsrfCookie)
 
 	return claims, nil
@@ -311,11 +312,11 @@ func (j *Service) IsExpired(claims Claims) bool {
 // Reset token's cookies
 func (j *Service) Reset(w http.ResponseWriter) {
 	jwtCookie := http.Cookie{Name: j.JWTCookieName, Value: "", HttpOnly: false, Path: "/",
-		MaxAge: -1, Expires: time.Unix(0, 0), Secure: j.SecureCookies}
+		MaxAge: -1, Expires: time.Unix(0, 0), Secure: j.SecureCookies, SameSite: j.SameSite}
 	http.SetCookie(w, &jwtCookie)
 
 	xsrfCookie := http.Cookie{Name: j.XSRFCookieName, Value: "", HttpOnly: false, Path: "/",
-		MaxAge: -1, Expires: time.Unix(0, 0), Secure: j.SecureCookies}
+		MaxAge: -1, Expires: time.Unix(0, 0), Secure: j.SecureCookies, SameSite: j.SameSite}
 	http.SetCookie(w, &xsrfCookie)
 }