[feature] Start adding advanced configuration options, starting with …

…`samesite` (#628)

* fix incorrect port being used for db

* start adding advanced config flags

* use samesite lax by default

docs/configuration/advanced.md

@@ -0,0 +1,38 @@
+# Advanced
+
+Advanced settings options are provided for the sake of allowing admins to tune their instance to their liking.
+
+These are set to sensible defaults, so most server admins won't need to touch them or think about them.
+
+**Changing these settings if you don't know what you're doing may break your instance**.
+
+## Settings
+
+```yaml
+#############################
+##### ADVANCED SETTINGS #####
+#############################
+
+# Advanced settings pertaining to http timeouts, security, cookies, and more.
+#
+# ONLY ADJUST THESE SETTINGS IF YOU KNOW WHAT YOU ARE DOING!
+#
+# Most users will not need to (and should not) touch these settings, since
+# they are set to sensible defaults, and may break if they are changed.
+#
+# Nevertheless, they are provided for the sake of allowing server admins to
+# tweak their instance for performance or security reasons.
+
+# String. Value of the SameSite attribute of cookies set by GoToSocial.
+# Defaults to 'lax' to ensure that the OIDC flow does not break, which is
+# fine in most cases. If you want to harden your instance against CSRF attacks
+# and don't mind if some login-related things might break, you can set this
+# to 'strict' instead.
+#
+# For an overview of what this does, see:
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
+#
+# Options: ["lax", "strict"]
+# Default: "lax"
+advanced-cookies-samesite: "lax"
+```

example/config.yaml

@@ -428,3 +428,30 @@ syslog-protocol: "udp"
 # String. Address:port to send syslog logs to. Leave empty to connect to local syslog.
 # Default: "localhost:514"
 syslog-address: "localhost:514"
+
+#############################
+##### ADVANCED SETTINGS #####
+#############################
+
+# Advanced settings pertaining to http timeouts, security, cookies, and more.
+#
+# ONLY ADJUST THESE SETTINGS IF YOU KNOW WHAT YOU ARE DOING!
+#
+# Most users will not need to (and should not) touch these settings, since
+# they are set to sensible defaults, and may break if they are changed.
+#
+# Nevertheless, they are provided for the sake of allowing server admins to
+# tweak their instance for performance or security reasons.
+
+# String. Value of the SameSite attribute of cookies set by GoToSocial.
+# Defaults to 'lax' to ensure that the OIDC flow does not break, which is
+# fine in most cases. If you want to harden your instance against CSRF attacks
+# and don't mind if some login-related things might break, you can set this
+# to 'strict' instead.
+#
+# For an overview of what this does, see:
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
+#
+# Options: ["lax", "strict"]
+# Default: "lax"
+advanced-cookies-samesite: "lax"

internal/config/config.go

@@ -114,6 +114,8 @@ type Configuration struct {
 	AdminAccountEmail    string `name:"email" usage:"the email address of this account"`
 	AdminAccountPassword string `name:"password" usage:"the password to set for this account"`
 	AdminTransPath       string `name:"path" usage:"the path of the file to import from/export to"`
+
+	AdvancedCookiesSamesite string `name:"advanced-cookies-samesite" usage:"'strict' or 'lax', see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite"`
 }
 
 // MarshalMap will marshal current Configuration into a map structure (useful for JSON).

internal/config/defaults.go

@@ -87,4 +87,6 @@ var Defaults = Configuration{
 	SyslogEnabled:  false,
 	SyslogProtocol: "udp",
 	SyslogAddress:  "localhost:514",
+
+	AdvancedCookiesSamesite: "lax",
 }

internal/config/flags.go

@@ -109,6 +109,9 @@ func AddServerFlags(cmd *cobra.Command) {
 		cmd.Flags().Bool(SyslogEnabledFlag(), cfg.SyslogEnabled, fieldtag("SyslogEnabled", "usage"))
 		cmd.Flags().String(SyslogProtocolFlag(), cfg.SyslogProtocol, fieldtag("SyslogProtocol", "usage"))
 		cmd.Flags().String(SyslogAddressFlag(), cfg.SyslogAddress, fieldtag("SyslogAddress", "usage"))
+
+		// Advanced flags
+		cmd.Flags().String(AdvancedCookiesSamesiteFlag(), cfg.AdvancedCookiesSamesite, fieldtag("AdvancedCookiesSamesite", "usage"))
 	})
 }
 

internal/config/helpers.gen.go

@@ -1492,3 +1492,28 @@ func GetAdminTransPath() string { return global.GetAdminTransPath() }
 
 // SetAdminTransPath safely sets the value for global configuration 'AdminTransPath' field
 func SetAdminTransPath(v string) { global.SetAdminTransPath(v) }
+
+// GetAdvancedCookiesSamesite safely fetches the Configuration value for state's 'AdvancedCookiesSamesite' field
+func (st *ConfigState) GetAdvancedCookiesSamesite() (v string) {
+	st.mutex.Lock()
+	v = st.config.AdvancedCookiesSamesite
+	st.mutex.Unlock()
+	return
+}
+
+// SetAdvancedCookiesSamesite safely sets the Configuration value for state's 'AdvancedCookiesSamesite' field
+func (st *ConfigState) SetAdvancedCookiesSamesite(v string) {
+	st.mutex.Lock()
+	defer st.mutex.Unlock()
+	st.config.AdvancedCookiesSamesite = v
+	st.reloadToViper()
+}
+
+// AdvancedCookiesSamesiteFlag returns the flag name for the 'AdvancedCookiesSamesite' field
+func AdvancedCookiesSamesiteFlag() string { return "advanced-cookies-samesite" }
+
+// GetAdvancedCookiesSamesite safely fetches the value for global configuration 'AdvancedCookiesSamesite' field
+func GetAdvancedCookiesSamesite() string { return global.GetAdvancedCookiesSamesite() }
+
+// SetAdvancedCookiesSamesite safely sets the value for global configuration 'AdvancedCookiesSamesite' field
+func SetAdvancedCookiesSamesite(v string) { global.SetAdvancedCookiesSamesite(v) }

internal/db/bundb/bundb.go

@@ -348,7 +348,7 @@ func deriveBunDBPGOptions() (*pgx.ConnConfig, error) {
 	if address != "" {
 		cfg.Host = address
 	}
-	if port := config.GetPort(); port > 0 {
+	if port := config.GetDbPort(); port > 0 {
 		cfg.Port = uint16(port)
 	}
 	if u := config.GetDbUser(); u != "" {

internal/router/session.go

@@ -24,24 +24,41 @@ import (
 	"fmt"
 	"net/http"
 	"net/url"
+	"strings"
 
 	"github.com/gin-contrib/sessions"
 	"github.com/gin-contrib/sessions/memstore"
 	"github.com/gin-gonic/gin"
+	"github.com/sirupsen/logrus"
 	"github.com/superseriousbusiness/gotosocial/internal/config"
 	"github.com/superseriousbusiness/gotosocial/internal/db"
 	"golang.org/x/net/idna"
 )
 
 // SessionOptions returns the standard set of options to use for each session.
 func SessionOptions() sessions.Options {
+	var samesite http.SameSite
+	switch strings.TrimSpace(strings.ToLower(config.GetAdvancedCookiesSamesite())) {
+	case "lax":
+		samesite = http.SameSiteLaxMode
+	case "strict":
+		samesite = http.SameSiteStrictMode
+	default:
+		logrus.Warnf("%s set to %s which is not recognized, defaulting to 'lax'", config.AdvancedCookiesSamesiteFlag(), config.GetAdvancedCookiesSamesite())
+		samesite = http.SameSiteLaxMode
+	}
+
 	return sessions.Options{
-		Path:     "/",
-		Domain:   config.GetHost(),
-		MaxAge:   120,                             // 2 minutes
-		Secure:   config.GetProtocol() == "https", // only use cookie over https
-		HttpOnly: true,                            // exclude javascript from inspecting cookie
-		SameSite: http.SameSiteStrictMode,         // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-same-site-00#section-4.1.1
+		Path:   "/",
+		Domain: config.GetHost(),
+		// 2 minutes
+		MaxAge: 120,
+		// only set secure over https
+		Secure: config.GetProtocol() == "https",
+		// forbid javascript from inspecting cookie
+		HttpOnly: true,
+		// https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-same-site-00#section-4.1.1
+		SameSite: samesite,
 	}
 }
 

mkdocs.yml

@@ -35,6 +35,7 @@ nav:
     - "configuration/oidc.md"
     - "configuration/smtp.md"
     - "configuration/syslog.md"
+    - "configuration/advanced.md"
   - "Admin":
     - "admin/admin_panel.md"
     - "admin/cli.md"