chore: unsafe session cookies for development

olevski · olevski · commit 6473b8fa8e06 · 2025-01-27T09:42:34.000+01:00
diff --git a/internal/config/config.yaml b/internal/config/config.yaml
@@ -22,6 +22,7 @@ sessions:
     - issuer: https://renkulab.io/auth/realms/Renku
       audience: renku
       authorizedParty: renku-cli
+  unsafeCookieTemplate: false
 revproxy:
   renkuBaseUrl: "https://renkulab.io"
   externalGitlabUrl:
diff --git a/internal/config/session.go b/internal/config/session.go
@@ -11,6 +11,8 @@ type SessionConfig struct {
 	// NOTE: UnsafeNoCookieHandler should only be used for testing, in production this has to be false/unset
 	// without this there is no CSRF protection on the oauth callback endpoint
 	UnsafeNoCookieHandler bool
+	// NOTE: Unsafe cookie template should only be used for testing. It is NOT SAFE for production.
+	UnsafeCookieTemplate bool
 }
 
 type AuthorizationVerifier struct {
@@ -29,5 +31,8 @@ func (c *SessionConfig) Validate(e RunningEnvironment) error {
 	if e != Development && c.UnsafeNoCookieHandler {
 		return fmt.Errorf("a cookie handler needs to be configured in production")
 	}
+	if e != Development && c.UnsafeCookieTemplate {
+		return fmt.Errorf("a safe cookie template needs to be configured in production")
+	}
 	return nil
 }
diff --git a/internal/sessions/session_store.go b/internal/sessions/session_store.go
@@ -312,6 +312,24 @@ func WithConfig(c config.SessionConfig) SessionStoreOption {
 			}
 			sessions.cookieHandler = securecookie.New(cookieHashKey, cookieEncKey)
 		}
+		if c.UnsafeCookieTemplate {
+			unsafeCookieTmpl := func() http.Cookie {
+				defaultTmpl := sessions.cookieTemplate()
+				return http.Cookie{
+					Name:    defaultTmpl.Name,
+					Path:    defaultTmpl.Path,
+					Domain:  defaultTmpl.Domain,
+					Expires: defaultTmpl.Expires,
+					MaxAge:  defaultTmpl.MaxAge,
+					// NOTE: Secure needs to be true so that the SameSite = None works
+					// Enables calling a deployed backend from a local ui client version running on localhost
+					Secure:   true,
+					HttpOnly: false,
+					SameSite: http.SameSiteNoneMode,
+				}
+			}
+			sessions.cookieTemplate = unsafeCookieTmpl
+		}
 
 		sessions.sessionMaker = NewSessionMaker(WithIdleSessionTTLSeconds(c.IdleSessionTTLSeconds), WithMaxSessionTTLSeconds(c.MaxSessionTTLSeconds))
 

Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,8 @@ type SessionConfig struct {`
`11`	`11`	`// NOTE: UnsafeNoCookieHandler should only be used for testing, in production this has to be false/unset`
`12`	`12`	`// without this there is no CSRF protection on the oauth callback endpoint`
`13`	`13`	`UnsafeNoCookieHandler bool`
	`14`	`+ // NOTE: Unsafe cookie template should only be used for testing. It is NOT SAFE for production.`
	`15`	`+ UnsafeCookieTemplate bool`
`14`	`16`	`}`
`15`	`17`
`16`	`18`	`type AuthorizationVerifier struct {`
`@@ -29,5 +31,8 @@ func (c *SessionConfig) Validate(e RunningEnvironment) error {`
`29`	`31`	`if e != Development && c.UnsafeNoCookieHandler {`
`30`	`32`	`return fmt.Errorf("a cookie handler needs to be configured in production")`
`31`	`33`	`}`
	`34`	`+ if e != Development && c.UnsafeCookieTemplate {`
	`35`	`+ return fmt.Errorf("a safe cookie template needs to be configured in production")`
	`36`	`+ }`
`32`	`37`	`return nil`
`33`	`38`	`}`