Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HTTP: specify Domain attribute in user session cookie #3165

Closed
wants to merge 2 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions auth/api/iam/api.go
Original file line number Diff line number Diff line change
Expand Up @@ -171,6 +171,7 @@ func (r Wrapper) Routes(router core.EchoRouter) {
// error only happens on invalid did:web DID, which can't happen here
return baseURL.Path
},
CookieDomain: r.auth.PublicURL().Host,
}.Handle)
}

Expand Down
7 changes: 7 additions & 0 deletions auth/api/iam/api_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ import (
"errors"
"fmt"
"github.com/nuts-foundation/nuts-node/http/user"
"github.com/nuts-foundation/nuts-node/test"
"net/http"
"net/http/httptest"
"net/url"
Expand Down Expand Up @@ -806,8 +807,11 @@ func TestWrapper_Routes(t *testing.T) {
router.EXPECT().GET(gomock.Any(), gomock.Any(), gomock.Any()).AnyTimes()
router.EXPECT().POST(gomock.Any(), gomock.Any(), gomock.Any()).AnyTimes()

authServices := auth.NewMockAuthenticationServices(ctrl)
authServices.EXPECT().PublicURL().Return(test.MustParseURL("https://example.com"))
(&Wrapper{
storageEngine: storage.NewTestStorageEngine(t),
auth: authServices,
}).Routes(router)
})
t.Run("cache middleware URLs match registered paths", func(t *testing.T) {
Expand All @@ -824,8 +828,11 @@ func TestWrapper_Routes(t *testing.T) {
return nil
}).AnyTimes()
router.EXPECT().Use(gomock.Any()).AnyTimes()
authServices := auth.NewMockAuthenticationServices(ctrl)
authServices.EXPECT().PublicURL().Return(test.MustParseURL("https://example.com"))
(&Wrapper{
storageEngine: storage.NewTestStorageEngine(t),
auth: authServices,
}).Routes(router)

// Check that all cache-control max-age paths are actual paths
Expand Down
7 changes: 5 additions & 2 deletions http/user/session.go
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,8 @@ type SessionMiddleware struct {
Store storage.SessionStore
// CookiePath is a function that returns the path for the user session cookie.
CookiePath func(tenantDID did.DID) string
// CookieDomain is the domain for the user session cookie.
CookieDomain string
}

func (u SessionMiddleware) Handle(next echo.HandlerFunc) echo.HandlerFunc {
Expand Down Expand Up @@ -93,7 +95,7 @@ func (u SessionMiddleware) Handle(next echo.HandlerFunc) echo.HandlerFunc {
return fmt.Errorf("create user session: %w", err)
}
// By scoping the cookie to a tenant (DID)-specific path, the user can have a session per tenant DID on the same domain.
echoCtx.SetCookie(u.createUserSessionCookie(sessionID, u.CookiePath(*tenantDID)))
echoCtx.SetCookie(u.createUserSessionCookie(sessionID, u.CookieDomain, u.CookiePath(*tenantDID)))
}
sessionData.Save = func() error {
return u.Store.Put(sessionID, sessionData)
Expand Down Expand Up @@ -155,13 +157,14 @@ func createUserSession(tenantDID did.DID, timeOut time.Duration) (*Session, erro
}, nil
}

func (u SessionMiddleware) createUserSessionCookie(sessionID string, path string) *http.Cookie {
func (u SessionMiddleware) createUserSessionCookie(sessionID string, domain string, path string) *http.Cookie {
// Do not set Expires: then it isn't a session cookie anymore.
return &http.Cookie{
Name: userSessionCookieName,
Value: sessionID,
Path: path,
MaxAge: int(u.TimeOut.Seconds()),
Domain: domain,
Secure: true, // only transfer over HTTPS
HttpOnly: true, // do not let JavaScript interact with the cookie
SameSite: http.SameSiteStrictMode, // do not allow the cookie to be sent with cross-site requests
Expand Down
4 changes: 2 additions & 2 deletions http/user/session_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -261,10 +261,10 @@ func createInstance(t *testing.T) (SessionMiddleware, storage.SessionStore) {
func TestMiddleware_createUserSessionCookie(t *testing.T) {
cookie := SessionMiddleware{
TimeOut: 30 * time.Minute,
}.createUserSessionCookie("sessionID", "/iam/did:web:example.com:iam:123")
}.createUserSessionCookie("sessionID", "example.com", "/iam/did:web:example.com:iam:123")
assert.Equal(t, "/iam/did:web:example.com:iam:123", cookie.Path)
assert.Equal(t, "__Secure-SID", cookie.Name)
assert.Empty(t, cookie.Domain)
assert.Equal(t, "example.com", cookie.Domain)
assert.Empty(t, cookie.Expires)
assert.Equal(t, 30*time.Minute, time.Duration(cookie.MaxAge)*time.Second)
assert.Equal(t, http.SameSiteStrictMode, cookie.SameSite)
Expand Down
Loading