git724/forgejo
1
0
Fork 0
Code Issues Pull requests 3 Projects 1 Releases Packages Wiki Activity

Make cookies HttpOnly and obey COOKIE_SECURE flag (#4706)

Browse source
This commit is contained in:
SagePtr 2018-08-14 22:16:37 +02:00 committed by Lauris BH
commit 0449330dbc
4 changed files with 26 additions and 25 deletions
Download patch file Download diff file Expand all files Collapse all files

13
routers/routes/routes.go
View file

@ -116,12 +116,13 @@ func NewMacaron() *macaron.Macaron {
})) }))
m.Use(session.Sessioner(setting.SessionConfig)) m.Use(session.Sessioner(setting.SessionConfig))
m.Use(csrf.Csrfer(csrf.Options{ m.Use(csrf.Csrfer(csrf.Options{
Secret: setting.SecretKey, Secret: setting.SecretKey,
Cookie: setting.CSRFCookieName, Cookie: setting.CSRFCookieName,
SetCookie: true, SetCookie: true,
Secure: setting.SessionConfig.Secure, Secure: setting.SessionConfig.Secure,
Header: "X-Csrf-Token", CookieHttpOnly: true,
CookiePath: setting.AppSubURL, Header: "X-Csrf-Token",
CookiePath: setting.AppSubURL,
})) }))
m.Use(toolbox.Toolboxer(m, toolbox.Options{ m.Use(toolbox.Toolboxer(m, toolbox.Options{
HealthCheckFuncs: []*toolbox.HealthCheckFuncDesc{ HealthCheckFuncs: []*toolbox.HealthCheckFuncDesc{

32
routers/user/auth.go
View file

@ -57,8 +57,8 @@ func AutoSignIn(ctx *context.Context) (bool, error) {
defer func() { defer func() {
if !isSucceed { if !isSucceed {
log.Trace("auto-login cookie cleared: %s", uname) log.Trace("auto-login cookie cleared: %s", uname)
ctx.SetCookie(setting.CookieUserName, "", -1, setting.AppSubURL) ctx.SetCookie(setting.CookieUserName, "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
ctx.SetCookie(setting.CookieRememberName, "", -1, setting.AppSubURL) ctx.SetCookie(setting.CookieRememberName, "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
} }
}() }()
@ -78,7 +78,7 @@ func AutoSignIn(ctx *context.Context) (bool, error) {
isSucceed = true isSucceed = true
ctx.Session.Set("uid", u.ID) ctx.Session.Set("uid", u.ID)
ctx.Session.Set("uname", u.Name) ctx.Session.Set("uname", u.Name)
ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL) ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
return true, nil return true, nil
} }
@ -92,13 +92,13 @@ func checkAutoLogin(ctx *context.Context) bool {
redirectTo := ctx.Query("redirect_to") redirectTo := ctx.Query("redirect_to")
if len(redirectTo) > 0 { if len(redirectTo) > 0 {
ctx.SetCookie("redirect_to", redirectTo, 0, setting.AppSubURL) ctx.SetCookie("redirect_to", redirectTo, 0, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
} else { } else {
redirectTo, _ = url.QueryUnescape(ctx.GetCookie("redirect_to")) redirectTo, _ = url.QueryUnescape(ctx.GetCookie("redirect_to"))
} }
if isSucceed { if isSucceed {
ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL) ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
ctx.RedirectToFirst(redirectTo, setting.AppSubURL+string(setting.LandingPageURL)) ctx.RedirectToFirst(redirectTo, setting.AppSubURL+string(setting.LandingPageURL))
return true return true
} }
@ -443,9 +443,9 @@ func handleSignIn(ctx *context.Context, u *models.User, remember bool) {
func handleSignInFull(ctx *context.Context, u *models.User, remember bool, obeyRedirect bool) string { func handleSignInFull(ctx *context.Context, u *models.User, remember bool, obeyRedirect bool) string {
if remember { if remember {
days := 86400 * setting.LogInRememberDays days := 86400 * setting.LogInRememberDays
ctx.SetCookie(setting.CookieUserName, u.Name, days, setting.AppSubURL) ctx.SetCookie(setting.CookieUserName, u.Name, days, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
ctx.SetSuperSecureCookie(base.EncodeMD5(u.Rands+u.Passwd), ctx.SetSuperSecureCookie(base.EncodeMD5(u.Rands+u.Passwd),
setting.CookieRememberName, u.Name, days, setting.AppSubURL) setting.CookieRememberName, u.Name, days, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
} }
ctx.Session.Delete("openid_verified_uri") ctx.Session.Delete("openid_verified_uri")
@ -469,10 +469,10 @@ func handleSignInFull(ctx *context.Context, u *models.User, remember bool, obeyR
} }
} }
ctx.SetCookie("lang", u.Language, nil, setting.AppSubURL) ctx.SetCookie("lang", u.Language, nil, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
// Clear whatever CSRF has right now, force to generate a new one // Clear whatever CSRF has right now, force to generate a new one
ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL) ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
// Register last login // Register last login
u.SetLastLogin() u.SetLastLogin()
@ -482,7 +482,7 @@ func handleSignInFull(ctx *context.Context, u *models.User, remember bool, obeyR
} }
if redirectTo, _ := url.QueryUnescape(ctx.GetCookie("redirect_to")); len(redirectTo) > 0 && !util.IsExternalURL(redirectTo) { if redirectTo, _ := url.QueryUnescape(ctx.GetCookie("redirect_to")); len(redirectTo) > 0 && !util.IsExternalURL(redirectTo) {
ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL) ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
if obeyRedirect { if obeyRedirect {
ctx.RedirectToFirst(redirectTo) ctx.RedirectToFirst(redirectTo)
} }
@ -563,7 +563,7 @@ func handleOAuth2SignIn(u *models.User, gothUser goth.User, ctx *context.Context
ctx.Session.Set("uname", u.Name) ctx.Session.Set("uname", u.Name)
// Clear whatever CSRF has right now, force to generate a new one // Clear whatever CSRF has right now, force to generate a new one
ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL) ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
// Register last login // Register last login
u.SetLastLogin() u.SetLastLogin()
@ -573,7 +573,7 @@ func handleOAuth2SignIn(u *models.User, gothUser goth.User, ctx *context.Context
} }
if redirectTo, _ := url.QueryUnescape(ctx.GetCookie("redirect_to")); len(redirectTo) > 0 { if redirectTo, _ := url.QueryUnescape(ctx.GetCookie("redirect_to")); len(redirectTo) > 0 {
ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL) ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
ctx.RedirectToFirst(redirectTo) ctx.RedirectToFirst(redirectTo)
return return
} }
@ -864,10 +864,10 @@ func SignOut(ctx *context.Context) {
ctx.Session.Delete("socialId") ctx.Session.Delete("socialId")
ctx.Session.Delete("socialName") ctx.Session.Delete("socialName")
ctx.Session.Delete("socialEmail") ctx.Session.Delete("socialEmail")
ctx.SetCookie(setting.CookieUserName, "", -1, setting.AppSubURL) ctx.SetCookie(setting.CookieUserName, "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
ctx.SetCookie(setting.CookieRememberName, "", -1, setting.AppSubURL) ctx.SetCookie(setting.CookieRememberName, "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL) ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
ctx.SetCookie("lang", "", -1, setting.AppSubURL) // Setting the lang cookie will trigger the middleware to reset the language ot previous state. ctx.SetCookie("lang", "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true) // Setting the lang cookie will trigger the middleware to reset the language ot previous state.
ctx.Redirect(setting.AppSubURL + "/") ctx.Redirect(setting.AppSubURL + "/")
} }

4
routers/user/auth_openid.go
View file

@ -45,13 +45,13 @@ func SignInOpenID(ctx *context.Context) {
redirectTo := ctx.Query("redirect_to") redirectTo := ctx.Query("redirect_to")
if len(redirectTo) > 0 { if len(redirectTo) > 0 {
ctx.SetCookie("redirect_to", redirectTo, 0, setting.AppSubURL) ctx.SetCookie("redirect_to", redirectTo, 0, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
} else { } else {
redirectTo, _ = url.QueryUnescape(ctx.GetCookie("redirect_to")) redirectTo, _ = url.QueryUnescape(ctx.GetCookie("redirect_to"))
} }
if isSucceed { if isSucceed {
ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL) ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
ctx.RedirectToFirst(redirectTo) ctx.RedirectToFirst(redirectTo)
return return
} }

2
routers/user/setting/profile.go
View file

@ -103,7 +103,7 @@ func ProfilePost(ctx *context.Context, form auth.UpdateProfileForm) {
} }
// Update the language to the one we just set // Update the language to the one we just set
ctx.SetCookie("lang", ctx.User.Language, nil, setting.AppSubURL) ctx.SetCookie("lang", ctx.User.Language, nil, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
log.Trace("User settings updated: %s", ctx.User.Name) log.Trace("User settings updated: %s", ctx.User.Name)
ctx.Flash.Success(i18n.Tr(ctx.User.Language, "settings.update_profile_success")) ctx.Flash.Success(i18n.Tr(ctx.User.Language, "settings.update_profile_success"))