fix: correct cookie domain on logout (#646)

Closes #645 Co-authored-by: hackerman <3372410+aeneasr@users.noreply.github.com>
ory · Sep 1, 2020 · 6d77e04 · 6d77e04
1 parent 91e5a5b
commit 6d77e04
Show file tree

Hide file tree

Showing 5 changed files with 35 additions and 22 deletions.
diff --git a/continuity/manager_cookie.go b/continuity/manager_cookie.go
@@ -47,7 +47,7 @@ func (m *ManagerCookie) Pause(ctx context.Context, w http.ResponseWriter, r *htt
 	}
 	c := NewContainer(name, *o)
 
-	if err := x.SessionPersistValues(w, r, m.d.CookieManager(), cookieName, map[string]interface{}{
+	if err := x.SessionPersistValues(w, r, m.d.ContinuityCookieManager(), cookieName, map[string]interface{}{
 		name: c.ID.String(),
 	}); err != nil {
 		return err
@@ -85,7 +85,7 @@ func (m *ManagerCookie) Continue(ctx context.Context, w http.ResponseWriter, r *
 		return nil, err
 	}
 
-	if err := x.SessionUnsetKey(w, r, m.d.CookieManager(), cookieName, name); err != nil {
+	if err := x.SessionUnsetKey(w, r, m.d.ContinuityCookieManager(), cookieName, name); err != nil {
 		return nil, err
 	}
 
@@ -94,7 +94,7 @@ func (m *ManagerCookie) Continue(ctx context.Context, w http.ResponseWriter, r *
 
 func (m *ManagerCookie) sid(ctx context.Context, r *http.Request, name string) (uuid.UUID, error) {
 	var sid uuid.UUID
-	if s, err := x.SessionGetString(r, m.d.CookieManager(), cookieName, name); err != nil {
+	if s, err := x.SessionGetString(r, m.d.ContinuityCookieManager(), cookieName, name); err != nil {
 		return sid, errors.WithStack(ErrNotResumable.WithDebugf("%+v", err))
 	} else if sid = x.ParseUUID(s); sid == uuid.Nil {
 		return sid, errors.WithStack(ErrNotResumable.WithDebug("sid is not a valid uuid"))
@@ -127,7 +127,7 @@ func (m ManagerCookie) Abort(ctx context.Context, w http.ResponseWriter, r *http
 		return err
 	}
 
-	if err := x.SessionUnsetKey(w, r, m.d.CookieManager(), cookieName, name); err != nil {
+	if err := x.SessionUnsetKey(w, r, m.d.ContinuityCookieManager(), cookieName, name); err != nil {
 		return err
 	}
 

diff --git a/driver/registry.go b/driver/registry.go
@@ -53,6 +53,7 @@ type Registry interface {
 
 	HealthHandler() *healthx.Handler
 	CookieManager() sessions.Store
+	ContinuityCookieManager() sessions.Store
 
 	RegisterRoutes(public *x.RouterPublic, admin *x.RouterAdmin)
 	RegisterPublicRoutes(public *x.RouterPublic)

diff --git a/driver/registry_default.go b/driver/registry_default.go
@@ -83,7 +83,8 @@ type RegistryDefault struct {
 	identityValidator *identity.Validator
 	identityManager   *identity.Manager
 
-	continuityManager continuity.Manager
+	continuityManager      continuity.Manager
+	continuitySessionStore *sessions.CookieStore
 
 	schemaHandler *schema.Handler
 
@@ -381,11 +382,38 @@ func (m *RegistryDefault) CookieManager() sessions.Store {
 		cs := sessions.NewCookieStore(m.c.SecretsSession()...)
 		cs.Options.Secure = !m.c.IsInsecureDevMode()
 		cs.Options.HttpOnly = true
+		if m.c.SessionDomain() != "" {
+			cs.Options.Domain = m.c.SessionDomain()
+		}
+
+		if m.c.SessionPath() != "" {
+			cs.Options.Path = m.c.SessionPath()
+		}
+
+		if m.c.SessionSameSiteMode() != 0 {
+			cs.Options.SameSite = m.c.SessionSameSiteMode()
+		}
+
+		cs.Options.MaxAge = 0
+		if m.c.SessionPersistentCookie() {
+			cs.Options.MaxAge = int(m.c.SessionLifespan().Seconds())
+		}
 		m.sessionsStore = cs
 	}
 	return m.sessionsStore
 }
 
+func (m *RegistryDefault) ContinuityCookieManager() sessions.Store {
+	if m.continuitySessionStore == nil {
+		cs := sessions.NewCookieStore(m.c.SecretsSession()...)
+		cs.Options.Secure = !m.c.IsInsecureDevMode()
+		cs.Options.HttpOnly = true
+		cs.Options.SameSite = http.SameSiteLaxMode
+		m.continuitySessionStore = cs
+	}
+	return m.continuitySessionStore
+}
+
 func (m *RegistryDefault) Tracer() *tracing.Tracer {
 	if m.trc == nil {
 		m.trc = &tracing.Tracer{

diff --git a/session/manager_http.go b/session/manager_http.go
@@ -63,23 +63,6 @@ func (s *ManagerHTTP) CreateToRequest(ctx context.Context, w http.ResponseWriter
 func (s *ManagerHTTP) SaveToRequest(ctx context.Context, w http.ResponseWriter, r *http.Request, session *Session) error {
 	_ = s.r.CSRFHandler().RegenerateToken(w, r)
 	cookie, _ := s.r.CookieManager().Get(r, s.cookieName)
-	if s.c.SessionDomain() != "" {
-		cookie.Options.Domain = s.c.SessionDomain()
-	}
-
-	if s.c.SessionPath() != "" {
-		cookie.Options.Path = s.c.SessionPath()
-	}
-
-	if s.c.SessionSameSiteMode() != 0 {
-		cookie.Options.SameSite = s.c.SessionSameSiteMode()
-	}
-
-	cookie.Options.MaxAge = 0
-	if s.c.SessionPersistentCookie() {
-		cookie.Options.MaxAge = int(s.c.SessionLifespan().Seconds())
-	}
-
 	cookie.Values["sid"] = session.ID.String()
 	if err := cookie.Save(r, w); err != nil {
 		return errors.WithStack(err)

diff --git a/x/provider.go b/x/provider.go
@@ -18,4 +18,5 @@ type WriterProvider interface {
 
 type CookieProvider interface {
 	CookieManager() sessions.Store
+	ContinuityCookieManager() sessions.Store
 }