feat: better control for cookie secure flag

ory · Sep 7, 2022 · 90d539f · 90d539f
1 parent cafe89a
commit 90d539f
Show file tree

Hide file tree

Showing 12 changed files with 55 additions and 35 deletions.
diff --git a/Makefile b/Makefile
@@ -97,6 +97,7 @@ format: .bin/goimports node_modules
 mocks: .bin/mockgen
 		mockgen -package oauth2_test -destination oauth2/oauth2_provider_mock_test.go github.com/ory/fosite OAuth2Provider
 		mockgen -package jwk_test -destination jwk/registry_mock_test.go -source=jwk/registry.go
+		go generate ./...
 
 # Generates the SDKs
 .PHONY: sdk

diff --git a/cmd/output_client.go b/cmd/output_client.go
@@ -2,9 +2,10 @@ package cmd
 
 import (
 	"fmt"
-	"github.com/ory/x/pointerx"
 	"strings"
 
+	"github.com/ory/x/pointerx"
+
 	hydra "github.com/ory/hydra-client-go"
 )
 

diff --git a/consent/helper.go b/consent/helper.go
@@ -78,7 +78,7 @@ func createCsrfSession(w http.ResponseWriter, r *http.Request, conf x.CookieConf
 
 	session.Values["csrf"] = csrfValue
 	session.Options.HttpOnly = true
-	session.Options.Secure = !conf.IsDevelopmentMode(r.Context())
+	session.Options.Secure = conf.CookieSecure(r.Context())
 	session.Options.SameSite = sameSite
 	session.Options.Domain = conf.CookieDomain(r.Context())
 	if err := session.Save(r, w); err != nil {

diff --git a/consent/helper_test.go b/consent/helper_test.go
@@ -259,6 +259,7 @@ func TestValidateCsrfSession(t *testing.T) {
 			config := mock.NewMockCookieConfigProvider(ctrl)
 			config.EXPECT().CookieSameSiteLegacyWorkaround(gomock.Any()).Return(tc.sameSiteLegacyWorkaround).AnyTimes()
 			config.EXPECT().IsDevelopmentMode(gomock.Any()).Return(false).AnyTimes()
+			config.EXPECT().CookieSecure(gomock.Any()).Return(false).AnyTimes()
 
 			sameSite := http.SameSiteDefaultMode
 			if tc.sameSite > 0 {
@@ -402,7 +403,7 @@ func TestCreateCsrfSession(t *testing.T) {
 			config := mock.NewMockCookieConfigProvider(ctrl)
 			config.EXPECT().CookieSameSiteMode(gomock.Any()).Return(tc.sameSite).AnyTimes()
 			config.EXPECT().CookieSameSiteLegacyWorkaround(gomock.Any()).Return(tc.sameSiteLegacyWorkaround).AnyTimes()
-			config.EXPECT().IsDevelopmentMode(gomock.Any()).Return(!tc.secure).AnyTimes()
+			config.EXPECT().CookieSecure(gomock.Any()).Return(tc.secure).AnyTimes()
 			config.EXPECT().CookieDomain(gomock.Any()).Return(tc.domain).AnyTimes()
 
 			err := createCsrfSession(rr, req, config, store, tc.name, "value")

diff --git a/consent/strategy_default.go b/consent/strategy_default.go
@@ -306,7 +306,7 @@ func (s *DefaultStrategy) revokeAuthenticationCookie(w http.ResponseWriter, r *h
 	cookie.Options.HttpOnly = true
 	cookie.Options.Path = "/"
 	cookie.Options.SameSite = s.c.CookieSameSiteMode(ctx)
-	cookie.Options.Secure = !s.c.IsDevelopmentMode(ctx)
+	cookie.Options.Secure = s.c.CookieSecure(ctx)
 	cookie.Options.Domain = s.c.CookieDomain(ctx)
 	cookie.Options.MaxAge = -1
 
@@ -440,7 +440,7 @@ func (s *DefaultStrategy) verifyAuthentication(w http.ResponseWriter, r *http.Re
 	cookie.Options.HttpOnly = true
 	cookie.Options.Path = "/"
 	cookie.Options.SameSite = s.c.CookieSameSiteMode(ctx)
-	cookie.Options.Secure = !s.c.IsDevelopmentMode(ctx)
+	cookie.Options.Secure = s.c.CookieSecure(ctx)
 	if err := cookie.Save(r, w); err != nil {
 		return nil, errorsx.WithStack(err)
 	}
@@ -450,7 +450,7 @@ func (s *DefaultStrategy) verifyAuthentication(w http.ResponseWriter, r *http.Re
 			"cookie_name":      s.c.SessionCookieName(ctx),
 			"cookie_http_only": true,
 			"cookie_same_site": s.c.CookieSameSiteMode(ctx),
-			"cookie_secure":    !s.c.IsDevelopmentMode(ctx),
+			"cookie_secure":    s.c.CookieSecure(ctx),
 		}).Debug("Authentication session cookie was set.")
 	return session, nil
 }

diff --git a/driver/config/provider.go b/driver/config/provider.go
@@ -54,6 +54,7 @@ const (
 	KeyCookieSameSiteMode                        = "serve.cookies.same_site_mode"
 	KeyCookieSameSiteLegacyWorkaround            = "serve.cookies.same_site_legacy_workaround"
 	KeyCookieDomain                              = "serve.cookies.domain"
+	KeyCookieSecure                              = "serve.cookies.secure"
 	KeyCookieLoginCSRFName                       = "serve.cookies.names.login_csrf"
 	KeyCookieConsentCSRFName                     = "serve.cookies.names.consent_csrf"
 	KeyCookieSessionName                         = "serve.cookies.names.session"
@@ -259,6 +260,13 @@ func (p *DefaultProvider) ExcludeNotBeforeClaim(ctx context.Context) bool {
 	return p.getProvider(ctx).BoolF(KeyExcludeNotBeforeClaim, false)
 }
 
+func (p *DefaultProvider) CookieSecure(ctx context.Context) bool {
+	if !p.IsDevelopmentMode(ctx) {
+		return true
+	}
+	return p.getProvider(ctx).BoolF(KeyCookieSecure, false)
+}
+
 func (p *DefaultProvider) CookieSameSiteMode(ctx context.Context) http.SameSite {
 	sameSiteModeStr := p.getProvider(ctx).String(KeyCookieSameSiteMode)
 	switch strings.ToLower(sameSiteModeStr) {

diff --git a/driver/config/provider_test.go b/driver/config/provider_test.go
@@ -379,6 +379,22 @@ func TestInfinitRefreshTokenTTL(t *testing.T) {
 	assert.Equal(t, -1*time.Nanosecond, c.GetRefreshTokenLifespan(ctx))
 }
 
+func TestCookieSecure(t *testing.T) {
+	ctx := context.Background()
+	l := logrusx.New("", "")
+	l.Logrus().SetOutput(ioutil.Discard)
+	c := MustNew(context.Background(), l, configx.WithValue(KeyDevelopmentMode, true))
+
+	c.MustSet(ctx, KeyCookieSecure, true)
+	assert.True(t, c.CookieSecure(ctx))
+
+	c.MustSet(ctx, KeyCookieSecure, false)
+	assert.False(t, c.CookieSecure(ctx))
+
+	c.MustSet(ctx, KeyDevelopmentMode, false)
+	assert.True(t, c.CookieSecure(ctx))
+}
+
 func TestTokenRefreshHookURL(t *testing.T) {
 	l := logrusx.New("", "")
 	l.Logrus().SetOutput(ioutil.Discard)

diff --git a/driver/registry_base.go b/driver/registry_base.go
@@ -306,7 +306,7 @@ func (m *RegistryBase) CookieStore(ctx context.Context) sessions.Store {
 	}
 
 	cs := sessions.NewCookieStore(keys...)
-	cs.Options.Secure = !m.Config().IsDevelopmentMode(ctx)
+	cs.Options.Secure = m.Config().CookieSecure(ctx)
 	cs.Options.HttpOnly = true
 
 	// CookieStore MaxAge is set to 86400 * 30 by default. This prevents secure cookies retrieval with expiration > 30 days.

diff --git a/internal/mock/config_cookie.go b/internal/mock/config_cookie.go
diff --git a/jwk/registry_mock_test.go b/jwk/registry_mock_test.go
diff --git a/spec/config.json b/spec/config.json
@@ -400,6 +400,12 @@
               "description": "Sets the cookie domain for session and CSRF cookies. Useful when dealing with subdomains. Use with care!",
               "type": "string"
             },
+            "secure": {
+              "title": "HTTP Cookie Secure Flag in Development Mode",
+              "description": "Sets the HTTP Cookie secure flag in development mode. HTTP Cookies always have the secure flag in production mode.",
+              "type": "boolean",
+              "default": false
+            },
             "names": {
               "title": "Cookie Names",
               "description": "Sets the session cookie name. Use with care!",

diff --git a/x/config.go b/x/config.go
@@ -12,4 +12,5 @@ type CookieConfigProvider interface {
 	IsDevelopmentMode(ctx context.Context) bool
 	CookieSameSiteMode(ctx context.Context) http.SameSite
 	CookieSameSiteLegacyWorkaround(ctx context.Context) bool
+	CookieSecure(ctx context.Context) bool
 }