Skip to content

Commit bfda078

Browse files
jehiahjehiah
authored
Merge pull request bitly#376 from reedloden/make-cookie-domain-optional
Don't set the cookie domain to the host by default, as it breaks Cookie Prefixes
2 parents bc1b839 + b6bd878 commit bfda078

File tree

2 files changed

+7
-12
lines changed

2 files changed

+7
-12
lines changed

README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -175,7 +175,7 @@ Usage of oauth2_proxy:
175175
-client-id string: the OAuth Client ID: ie: "123456.apps.googleusercontent.com"
176176
-client-secret string: the OAuth Client Secret
177177
-config string: path to config file
178-
-cookie-domain string: an optional cookie domain to force cookies to (ie: .yourcompany.com)*
178+
-cookie-domain string: an optional cookie domain to force cookies to (ie: .yourcompany.com)
179179
-cookie-expire duration: expire timeframe for cookie (default 168h0m0s)
180180
-cookie-httponly: set HttpOnly cookie flag (default true)
181181
-cookie-name string: the name of the cookie that the oauth_proxy creates (default "_oauth2_proxy")

oauthproxy.go

Lines changed: 6 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -155,16 +155,12 @@ func NewOAuthProxy(opts *Options, validator func(string) bool) *OAuthProxy {
155155
redirectURL.Path = fmt.Sprintf("%s/callback", opts.ProxyPrefix)
156156

157157
log.Printf("OAuthProxy configured for %s Client ID: %s", opts.provider.Data().ProviderName, opts.ClientID)
158-
domain := opts.CookieDomain
159-
if domain == "" {
160-
domain = "<default>"
161-
}
162158
refresh := "disabled"
163159
if opts.CookieRefresh != time.Duration(0) {
164160
refresh = fmt.Sprintf("after %s", opts.CookieRefresh)
165161
}
166162

167-
log.Printf("Cookie settings: name:%s secure(https):%v httponly:%v expiry:%s domain:%s refresh:%s", opts.CookieName, opts.CookieSecure, opts.CookieHttpOnly, opts.CookieExpire, domain, refresh)
163+
log.Printf("Cookie settings: name:%s secure(https):%v httponly:%v expiry:%s domain:%s refresh:%s", opts.CookieName, opts.CookieSecure, opts.CookieHttpOnly, opts.CookieExpire, opts.CookieDomain, refresh)
168164

169165
var cipher *cookie.Cipher
170166
if opts.PassAccessToken || (opts.CookieRefresh != time.Duration(0)) {
@@ -267,22 +263,21 @@ func (p *OAuthProxy) MakeCSRFCookie(req *http.Request, value string, expiration
267263
}
268264

269265
func (p *OAuthProxy) makeCookie(req *http.Request, name string, value string, expiration time.Duration, now time.Time) *http.Cookie {
270-
domain := req.Host
271-
if h, _, err := net.SplitHostPort(domain); err == nil {
272-
domain = h
273-
}
274266
if p.CookieDomain != "" {
267+
domain := req.Host
268+
if h, _, err := net.SplitHostPort(domain); err == nil {
269+
domain = h
270+
}
275271
if !strings.HasSuffix(domain, p.CookieDomain) {
276272
log.Printf("Warning: request host is %q but using configured cookie domain of %q", domain, p.CookieDomain)
277273
}
278-
domain = p.CookieDomain
279274
}
280275

281276
return &http.Cookie{
282277
Name: name,
283278
Value: value,
284279
Path: "/",
285-
Domain: domain,
280+
Domain: p.CookieDomain,
286281
HttpOnly: p.CookieHttpOnly,
287282
Secure: p.CookieSecure,
288283
Expires: now.Add(expiration),

0 commit comments

Comments
 (0)