Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add SameSite option #1

Merged
merged 1 commit into from
Jul 27, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 34 additions & 22 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -16,28 +16,35 @@ A minimal forward authentication service that provides OAuth/SSO login and authe

# Contents

- [Releases](#releases)
- [Usage](#usage)
- [Simple](#simple)
- [Advanced](#advanced)
- [Provider Setup](#provider-setup)
- [Configuration](#configuration)
- [Overview](#overview)
- [Option Details](#option-details)
- [Concepts](#concepts)
- [Forwarded Headers](#forwarded-headers)
- [User Restriction](#user-restriction)
- [Applying Authentication](#applying-authentication)
- [Global Authentication](#global-authentication)
- [Selective Ingress Authentication in Kubernetes](#selective-ingress-authentication-in-kubernetes)
- [Selective Container Authentication in Swarm](#selective-container-authentication-in-swarm)
- [Rules Based Authentication](#rules-based-authentication)
- [Operation Modes](#operation-modes)
- [Overlay Mode](#overlay-mode)
- [Auth Host Mode](#auth-host-mode)
- [Logging Out](#logging-out)
- [Copyright](#copyright)
- [License](#license)
- [Traefik Forward Auth !Build Status [![Go Report Card](https://goreportcard.com/badge/github.com/thomseddon/traefik-forward-auth)](https://goreportcard.com/report/github.com/thomseddon/traefik-forward-auth) ![Docker Pulls](https://img.shields.io/docker/pulls/thomseddon/traefik-forward-auth.svg) [![GitHub release](https://img.shields.io/github/release/thomseddon/traefik-forward-auth.svg)](https://GitHub.com/thomseddon/traefik-forward-auth/releases/)](#traefik-forward-auth----)
- [Why?](#why)
- [Contents](#contents)
- [Releases](#releases)
- [Upgrade Guide](#upgrade-guide)
- [Usage](#usage)
- [Simple:](#simple)
- [Advanced:](#advanced)
- [Provider Setup](#provider-setup)
- [Google](#google)
- [OpenID Connect](#openid-connect)
- [Generic OAuth2](#generic-oauth2)
- [Configuration](#configuration)
- [Overview](#overview)
- [Option Details](#option-details)
- [Concepts](#concepts)
- [User Restriction](#user-restriction)
- [Forwarded Headers](#forwarded-headers)
- [Applying Authentication](#applying-authentication)
- [Global Authentication](#global-authentication)
- [Selective Ingress Authentication in Kubernetes](#selective-ingress-authentication-in-kubernetes)
- [Selective Container Authentication in Swarm](#selective-container-authentication-in-swarm)
- [Rules Based Authentication](#rules-based-authentication)
- [Operation Modes](#operation-modes)
- [Overlay Mode](#overlay-mode)
- [Auth Host Mode](#auth-host-mode)
- [Logging Out](#logging-out)
- [Copyright](#copyright)
- [License](#license)

## Releases

Expand Down Expand Up @@ -154,6 +161,7 @@ Application Options:
--config= Path to config file [$CONFIG]
--cookie-domain= Domain to set auth cookie on, can be set multiple times [$COOKIE_DOMAIN]
--insecure-cookie Use insecure cookies [$INSECURE_COOKIE]
--same-site-cookie Set SameSite cookie property (0: Default (1), 1: Lax, 2: Strict, 3: None)
--cookie-name= Cookie Name (default: _forward_auth) [$COOKIE_NAME]
--csrf-cookie-name= CSRF Cookie Name (default: _forward_auth_csrf) [$CSRF_COOKIE_NAME]
--default-action=[auth|allow] Default action (default: auth) [$DEFAULT_ACTION]
Expand Down Expand Up @@ -243,6 +251,10 @@ All options can be supplied in any of the following ways, in the following prece

If you are not using HTTPS between the client and traefik, you will need to pass the `insecure-cookie` option which will mean the `Secure` attribute on the cookie will not be set.

- `same-site-cookie`

A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` (same-site-cookie=4) and `Secure` (insecure-cookie=false). You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032

- `cookie-name`

Set the name of the cookie set following successful authentication.
Expand Down
1 change: 1 addition & 0 deletions internal/auth.go
Original file line number Diff line number Diff line change
Expand Up @@ -173,6 +173,7 @@ func MakeCookie(r *http.Request, email string) *http.Cookie {
Path: "/",
Domain: cookieDomain(r),
HttpOnly: true,
SameSite: http.SameSite(config.SameSiteCookie),
Secure: !config.InsecureCookie,
Expires: expires,
}
Expand Down
7 changes: 7 additions & 0 deletions internal/auth_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -278,6 +278,13 @@ func TestAuthMakeCookie(t *testing.T) {
c = MakeCookie(r, "test@example.com")
assert.Equal("testname", c.Name)
assert.False(c.Secure)

config.CookieName = "testname"
config.InsecureCookie = true
config.SameSiteCookie = 3
c = MakeCookie(r, "test@example.com")
assert.Equal("testname", c.Name)
assert.Equal(http.SameSiteStrictMode, c.SameSite)
}

func TestAuthMakeCSRFCookie(t *testing.T) {
Expand Down
1 change: 1 addition & 0 deletions internal/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ type Config struct {
Config func(s string) error `long:"config" env:"CONFIG" description:"Path to config file" json:"-"`
CookieDomains []CookieDomain `long:"cookie-domain" env:"COOKIE_DOMAIN" env-delim:"," description:"Domain to set auth cookie on, can be set multiple times"`
InsecureCookie bool `long:"insecure-cookie" env:"INSECURE_COOKIE" description:"Use insecure cookies"`
SameSiteCookie int `long:"same-site-cookie" env:"SAMESITE_COOKIE" default:"0" description:"Set cookies SameSite value (0: Default (1), 1: Lax, 2: Strict, 3: None)"`
CookieName string `long:"cookie-name" env:"COOKIE_NAME" default:"_forward_auth" description:"Cookie Name"`
CSRFCookieName string `long:"csrf-cookie-name" env:"CSRF_COOKIE_NAME" default:"_forward_auth_csrf" description:"CSRF Cookie Name"`
DefaultAction string `long:"default-action" env:"DEFAULT_ACTION" default:"auth" choice:"auth" choice:"allow" description:"Default action"`
Expand Down