IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

Do not set SameSite for OAuth cookie if cookie_samesite is None (#18392)

Browse Source
This commit is contained in:
Sofia Papagiannaki 2019-08-06 09:50:20 +03:00 committed by GitHub
parent 541981c341
commit 269c1fb107
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 8 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
pkg/api/login_oauth.go
View File

@ -60,7 +60,7 @@ func (hs *HTTPServer) OAuthLogin(ctx *m.ReqContext) {
if code == "" { if code == "" {
state := GenStateString() state := GenStateString()
hashedState := hashStatecode(state, setting.OAuthService.OAuthInfos[name].ClientSecret) hashedState := hashStatecode(state, setting.OAuthService.OAuthInfos[name].ClientSecret)
hs.writeCookie(ctx.Resp, OauthStateCookieName, hashedState, 60, http.SameSiteLaxMode) hs.writeCookie(ctx.Resp, OauthStateCookieName, hashedState, 60, hs.Cfg.CookieSameSite)
if setting.OAuthService.OAuthInfos[name].HostedDomain == "" { if setting.OAuthService.OAuthInfos[name].HostedDomain == "" {
ctx.Redirect(connect.AuthCodeURL(state, oauth2.AccessTypeOnline)) ctx.Redirect(connect.AuthCodeURL(state, oauth2.AccessTypeOnline))
} else { } else {
@ -73,7 +73,7 @@ func (hs *HTTPServer) OAuthLogin(ctx *m.ReqContext) {
// delete cookie // delete cookie
ctx.Resp.Header().Del("Set-Cookie") ctx.Resp.Header().Del("Set-Cookie")
hs.deleteCookie(ctx.Resp, OauthStateCookieName, http.SameSiteLaxMode) hs.deleteCookie(ctx.Resp, OauthStateCookieName, hs.Cfg.CookieSameSite)
if cookieState == "" { if cookieState == "" {
ctx.Handle(500, "login.OAuthLogin(missing saved state)", nil) ctx.Handle(500, "login.OAuthLogin(missing saved state)", nil)
@ -218,15 +218,18 @@ func (hs *HTTPServer) deleteCookie(w http.ResponseWriter, name string, sameSite
} }
func (hs *HTTPServer) writeCookie(w http.ResponseWriter, name string, value string, maxAge int, sameSite http.SameSite) { func (hs *HTTPServer) writeCookie(w http.ResponseWriter, name string, value string, maxAge int, sameSite http.SameSite) {
http.SetCookie(w, &http.Cookie{ cookie := http.Cookie{
Name: name, Name: name,
MaxAge: maxAge, MaxAge: maxAge,
Value: value, Value: value,
HttpOnly: true, HttpOnly: true,
Path: setting.AppSubUrl + "/", Path: setting.AppSubUrl + "/",
Secure: hs.Cfg.CookieSecure, Secure: hs.Cfg.CookieSecure,
SameSite: sameSite, }
}) if sameSite != http.SameSiteDefaultMode {
cookie.SameSite = sameSite
}
http.SetCookie(w, &cookie)
} }
func hashStatecode(code, seed string) string { func hashStatecode(code, seed string) string {