chore: unsafe session cookies for development

olevski · olevski · commit 0d156a10671b · 2025-01-27T10:49:00.000+01:00
diff --git a/internal/config/config.yaml b/internal/config/config.yaml
@@ -22,6 +22,7 @@ sessions:
     - issuer: https://renkulab.io/auth/realms/Renku
       audience: renku
       authorizedParty: renku-cli
+  unsafeCookieTemplate: false
 revproxy:
   renkuBaseUrl: "https://renkulab.io"
   externalGitlabUrl:
diff --git a/internal/config/session.go b/internal/config/session.go
@@ -11,6 +11,8 @@ type SessionConfig struct {
 	// NOTE: UnsafeNoCookieHandler should only be used for testing, in production this has to be false/unset
 	// without this there is no CSRF protection on the oauth callback endpoint
 	UnsafeNoCookieHandler bool
+	// NOTE: Unsafe cookie template should only be used for testing. It is NOT SAFE for production.
+	UnsafeCookieTemplate bool
 }
 
 type AuthorizationVerifier struct {
@@ -29,5 +31,8 @@ func (c *SessionConfig) Validate(e RunningEnvironment) error {
 	if e != Development && c.UnsafeNoCookieHandler {
 		return fmt.Errorf("a cookie handler needs to be configured in production")
 	}
+	if e != Development && c.UnsafeCookieTemplate {
+		return fmt.Errorf("a safe cookie template needs to be configured in production")
+	}
 	return nil
 }
diff --git a/internal/sessions/session_store.go b/internal/sessions/session_store.go
@@ -312,6 +312,24 @@ func WithConfig(c config.SessionConfig) SessionStoreOption {
 			}
 			sessions.cookieHandler = securecookie.New(cookieHashKey, cookieEncKey)
 		}
+		if c.UnsafeCookieTemplate {
+			unsafeCookieTmpl := func() http.Cookie {
+				defaultTmpl := defaultSessionCookieTemplate()
+				return http.Cookie{
+					Name:    defaultTmpl.Name,
+					Path:    defaultTmpl.Path,
+					Domain:  defaultTmpl.Domain,
+					Expires: defaultTmpl.Expires,
+					MaxAge:  defaultTmpl.MaxAge,
+					// NOTE: Secure needs to be true so that the SameSite = None works
+					// Enables calling a deployed backend from a local ui client version running on localhost
+					Secure:   true,
+					HttpOnly: false,
+					SameSite: http.SameSiteNoneMode,
+				}
+			}
+			sessions.cookieTemplate = unsafeCookieTmpl
+		}
 
 		sessions.sessionMaker = NewSessionMaker(WithIdleSessionTTLSeconds(c.IdleSessionTTLSeconds), WithMaxSessionTTLSeconds(c.MaxSessionTTLSeconds))
 
@@ -333,16 +351,18 @@ func WithCookieHandler(h models.CookieHandler) SessionStoreOption {
 	}
 }
 
+func defaultSessionCookieTemplate() http.Cookie {
+	return http.Cookie{
+		Name:     SessionCookieName,
+		Path:     "/",
+		Secure:   true,
+		HttpOnly: true,
+		SameSite: http.SameSiteLaxMode}
+}
+
 func NewSessionStore(options ...SessionStoreOption) (*SessionStore, error) {
 	sessions := SessionStore{
-		cookieTemplate: func() http.Cookie {
-			return http.Cookie{
-				Name:     SessionCookieName,
-				Path:     "/",
-				Secure:   true,
-				HttpOnly: true,
-				SameSite: http.SameSiteLaxMode}
-		},
+		cookieTemplate: defaultSessionCookieTemplate,
 	}
 	for _, opt := range options {
 		err := opt(&sessions)

Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,8 @@ type SessionConfig struct {`
`11`	`11`	`// NOTE: UnsafeNoCookieHandler should only be used for testing, in production this has to be false/unset`
`12`	`12`	`// without this there is no CSRF protection on the oauth callback endpoint`
`13`	`13`	`UnsafeNoCookieHandler bool`
	`14`	`+ // NOTE: Unsafe cookie template should only be used for testing. It is NOT SAFE for production.`
	`15`	`+ UnsafeCookieTemplate bool`
`14`	`16`	`}`
`15`	`17`
`16`	`18`	`type AuthorizationVerifier struct {`
`@@ -29,5 +31,8 @@ func (c *SessionConfig) Validate(e RunningEnvironment) error {`
`29`	`31`	`if e != Development && c.UnsafeNoCookieHandler {`
`30`	`32`	`return fmt.Errorf("a cookie handler needs to be configured in production")`
`31`	`33`	`}`
	`34`	`+ if e != Development && c.UnsafeCookieTemplate {`
	`35`	`+ return fmt.Errorf("a safe cookie template needs to be configured in production")`
	`36`	`+ }`
`32`	`37`	`return nil`
`33`	`38`	`}`