Skip to content
Merged
Show file tree
Hide file tree
Changes from 3 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 7 additions & 1 deletion internal/bootstrap/app_bootstrap.go
Original file line number Diff line number Diff line change
Expand Up @@ -104,7 +104,13 @@ func (app *BootstrapApp) Setup() error {
}

// Get cookie domain
cookieDomain, err := utils.GetCookieDomain(app.context.appUrl)
cookieDomainResolver := utils.GetCookieDomain
if !app.config.Auth.SubdomainsEnabled {
tlog.App.Info().Msg("Subdomains disabled, automatic authentication for proxied apps will not work")
cookieDomainResolver = utils.GetStandaloneCookieDomain
}

cookieDomain, err := cookieDomainResolver(app.context.appUrl)

if err != nil {
return err
Expand Down
1 change: 1 addition & 0 deletions internal/bootstrap/service_bootstrap.go
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,7 @@ func (app *BootstrapApp) initServices(queries *repository.Queries) (Services, er
SessionCookieName: app.context.sessionCookieName,
IP: app.config.Auth.IP,
LDAPGroupsCacheTTL: app.config.Ldap.GroupCacheTTL,
SubdomainsEnabled: app.config.Auth.SubdomainsEnabled,
}, dockerService, services.ldapService, queries, services.oauthBrokerService)

err = authService.Init()
Expand Down
2 changes: 2 additions & 0 deletions internal/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ func NewDefaultConfiguration() *Config {
Address: "0.0.0.0",
},
Auth: AuthConfig{
SubdomainsEnabled: true,
SessionExpiry: 86400, // 1 day
SessionMaxLifetime: 0, // disabled
LoginTimeout: 300, // 5 minutes
Expand Down Expand Up @@ -115,6 +116,7 @@ type ServerConfig struct {
type AuthConfig struct {
IP IPConfig `description:"IP whitelisting config options." yaml:"ip"`
Users []string `description:"Comma-separated list of users (username:hashed_password)." yaml:"users"`
SubdomainsEnabled bool `description:"Enable subdomains support." yaml:"subdomainsEnabled"`
UserAttributes map[string]UserAttributes `description:"Map of per-user OIDC attributes (username -> attributes)." yaml:"userAttributes"`
UsersFile string `description:"Path to the users file." yaml:"usersFile"`
SecureCookie bool `description:"Enable secure cookies." yaml:"secureCookie"`
Expand Down
12 changes: 10 additions & 2 deletions internal/controller/oauth_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ type OAuthControllerConfig struct {
SecureCookie bool
AppURL string
CookieDomain string
SubdomainsEnabled bool
Comment thread
steveiliop56 marked this conversation as resolved.
}

type OAuthController struct {
Expand Down Expand Up @@ -106,7 +107,7 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
return
}

c.SetCookie(controller.config.OAuthSessionCookieName, sessionId, int(time.Hour.Seconds()), "/", fmt.Sprintf(".%s", controller.config.CookieDomain), controller.config.SecureCookie, true)
c.SetCookie(controller.config.OAuthSessionCookieName, sessionId, int(time.Hour.Seconds()), "/", controller.getCookieDomain(), controller.config.SecureCookie, true)

c.JSON(200, gin.H{
"status": 200,
Expand Down Expand Up @@ -136,7 +137,7 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
return
}

c.SetCookie(controller.config.OAuthSessionCookieName, "", -1, "/", fmt.Sprintf(".%s", controller.config.CookieDomain), controller.config.SecureCookie, true)
c.SetCookie(controller.config.OAuthSessionCookieName, "", -1, "/", controller.getCookieDomain(), controller.config.SecureCookie, true)

oauthPendingSession, err := controller.auth.GetOAuthPendingSession(sessionIdCookie)

Expand Down Expand Up @@ -282,3 +283,10 @@ func (controller *OAuthController) isOidcRequest(params service.OAuthURLParams)
params.ClientID != "" &&
params.RedirectURI != ""
}

func (controller *OAuthController) getCookieDomain() string {
if controller.config.SubdomainsEnabled {
return "." + controller.config.CookieDomain
}
return controller.config.CookieDomain
}
14 changes: 11 additions & 3 deletions internal/service/auth_service.go
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,7 @@ type AuthServiceConfig struct {
SessionCookieName string
IP config.IPConfig
LDAPGroupsCacheTTL int
SubdomainsEnabled bool
}

type AuthService struct {
Expand Down Expand Up @@ -327,7 +328,7 @@ func (auth *AuthService) CreateSessionCookie(c *gin.Context, data *repository.Se
return err
}

c.SetCookie(auth.config.SessionCookieName, session.UUID, expiry, "/", fmt.Sprintf(".%s", auth.config.CookieDomain), auth.config.SecureCookie, true)
c.SetCookie(auth.config.SessionCookieName, session.UUID, expiry, "/", auth.getCookieDomain(), auth.config.SecureCookie, true)

return nil
}
Expand Down Expand Up @@ -378,7 +379,7 @@ func (auth *AuthService) RefreshSessionCookie(c *gin.Context) error {
return err
}

c.SetCookie(auth.config.SessionCookieName, cookie, int(newExpiry-currentTime), "/", fmt.Sprintf(".%s", auth.config.CookieDomain), auth.config.SecureCookie, true)
c.SetCookie(auth.config.SessionCookieName, cookie, int(newExpiry-currentTime), "/", auth.getCookieDomain(), auth.config.SecureCookie, true)
tlog.App.Trace().Str("username", session.Username).Msg("Session cookie refreshed")

return nil
Expand All @@ -397,7 +398,7 @@ func (auth *AuthService) DeleteSessionCookie(c *gin.Context) error {
return err
}

c.SetCookie(auth.config.SessionCookieName, "", -1, "/", fmt.Sprintf(".%s", auth.config.CookieDomain), auth.config.SecureCookie, true)
c.SetCookie(auth.config.SessionCookieName, "", -1, "/", auth.getCookieDomain(), auth.config.SecureCookie, true)

return nil
}
Expand Down Expand Up @@ -834,3 +835,10 @@ func (auth *AuthService) ClearRateLimitsTestingOnly() {
}
auth.loginMutex.Unlock()
}

func (auth *AuthService) getCookieDomain() string {
if auth.config.SubdomainsEnabled {
return "." + auth.config.CookieDomain
}
return auth.config.CookieDomain
}
9 changes: 9 additions & 0 deletions internal/utils/app_utils.go
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,15 @@ func GetCookieDomain(u string) (string, error) {
return domain, nil
}

func GetStandaloneCookieDomain(u string) (string, error) {
Comment thread
steveiliop56 marked this conversation as resolved.
parsed, err := url.Parse(u)
if err != nil {
return "", err
}

return parsed.Hostname(), nil
}

func ParseFileToLine(content string) string {
lines := strings.Split(content, "\n")
users := make([]string, 0)
Expand Down