moves cookie https setting to [security]

conf/defaults.ini

@@ -113,9 +113,6 @@ cache_mode = private
 # Login cookie name
 cookie_name = grafana_session
 
-# If you want login cookies to be https only. default is false
-cookie_secure = false
-
 # How many days an session can be unused before we inactivate it
 login_remember_days = 7
 
@@ -203,6 +200,9 @@ data_source_proxy_whitelist =
 # disable protection against brute force login attempts
 disable_brute_force_login_protection = false
 
+# set cookies as https only. default is false
+https_flag_cookies = false
+
 #################################### Snapshots ###########################
 [snapshots]
 # snapshot sharing options

conf/sample.ini

@@ -109,9 +109,6 @@ log_queries =
 # Login cookie name
 ;cookie_name = grafana_session
 
-# If you want login cookies to be https only. default is false
-;cookie_secure = false
-
 # How many days an session can be unused before we inactivate it
 ;login_remember_days = 7
 
@@ -190,6 +187,9 @@ log_queries =
 # disable protection against brute force login attempts
 ;disable_brute_force_login_protection = false
 
+# set cookies as https only. default is false
+;https_flag_cookies = false
+
 #################################### Snapshots ###########################
 [snapshots]
 # snapshot sharing options

pkg/api/login.go

@@ -176,7 +176,7 @@ func (hs *HTTPServer) trySetEncryptedCookie(ctx *m.ReqContext, cookieName string
 		Value:    hex.EncodeToString(encryptedError),
 		HttpOnly: true,
 		Path:     setting.AppSubUrl + "/",
-		Secure:   hs.Cfg.LoginCookieSecure,
+		Secure:   hs.Cfg.SecurityHTTPSCookies,
 	})
 
 	return nil

pkg/api/login_oauth.go

@@ -60,8 +60,7 @@ func (hs *HTTPServer) OAuthLogin(ctx *m.ReqContext) {
 	if code == "" {
 		state := GenStateString()
 		hashedState := hashStatecode(state, setting.OAuthService.OAuthInfos[name].ClientSecret)
-		hs.writeOauthStateCookie(ctx, hashedState, 60)
-
+		hs.writeCookie(ctx.Resp, OauthStateCookieName, hashedState, 60)
 		if setting.OAuthService.OAuthInfos[name].HostedDomain == "" {
 			ctx.Redirect(connect.AuthCodeURL(state, oauth2.AccessTypeOnline))
 		} else {
@@ -70,19 +69,20 @@ func (hs *HTTPServer) OAuthLogin(ctx *m.ReqContext) {
 		return
 	}
 
-	savedState := ctx.GetCookie(OauthStateCookieName)
+	cookieState := ctx.GetCookie(OauthStateCookieName)
 
 	// delete cookie
 	ctx.Resp.Header().Del("Set-Cookie")
-	hs.writeOauthStateCookie(ctx, "", -1)
+	hs.deleteCookie(ctx.Resp, OauthStateCookieName)
 
-	if savedState == "" {
+	if cookieState == "" {
 		ctx.Handle(500, "login.OAuthLogin(missing saved state)", nil)
 		return
 	}
 
 	queryState := hashStatecode(ctx.Query("state"), setting.OAuthService.OAuthInfos[name].ClientSecret)
-	if savedState != queryState {
+	oauthLogger.Info("state check", "queryState", queryState, "cookieState", cookieState)
+	if cookieState != queryState {
 		ctx.Handle(500, "login.OAuthLogin(state mismatch)", nil)
 		return
 	}
@@ -203,14 +203,18 @@ func (hs *HTTPServer) OAuthLogin(ctx *m.ReqContext) {
 	ctx.Redirect(setting.AppSubUrl + "/")
 }
 
-func (hs *HTTPServer) writeOauthStateCookie(ctx *m.ReqContext, value string, maxAge int) {
-	http.SetCookie(ctx.Resp, &http.Cookie{
-		Name:     OauthStateCookieName,
+func (hs *HTTPServer) deleteCookie(w http.ResponseWriter, name string) {
+	hs.writeCookie(w, name, "", -1)
+}
+
+func (hs *HTTPServer) writeCookie(w http.ResponseWriter, name string, value string, maxAge int) {
+	http.SetCookie(w, &http.Cookie{
+		Name:     name,
 		MaxAge:   maxAge,
 		Value:    value,
 		HttpOnly: true,
 		Path:     setting.AppSubUrl + "/",
-		Secure:   hs.Cfg.LoginCookieSecure,
+		Secure:   hs.Cfg.SecurityHTTPSCookies,
 	})
 }
 

pkg/services/auth/auth_token.go

@@ -95,7 +95,7 @@ func (s *UserAuthTokenServiceImpl) writeSessionCookie(ctx *models.ReqContext, va
 		HttpOnly: true,
 		Domain:   setting.Domain,
 		Path:     setting.AppSubUrl + "/",
-		Secure:   s.Cfg.LoginCookieSecure,
+		Secure:   s.Cfg.SecurityHTTPSCookies,
 		MaxAge:   maxAge,
 	}
 

pkg/services/auth/auth_token_test.go

@@ -293,7 +293,6 @@ func createTestContext(t *testing.T) *testContext {
 		SQLStore: sqlstore,
 		Cfg: &setting.Cfg{
 			LoginCookieName:                   "grafana_session",
-			LoginCookieSecure:                 false,
 			LoginCookieMaxDays:                7,
 			LoginDeleteExpiredTokensAfterDays: 30,
 			LoginCookieRotation:               10,

pkg/setting/setting.go

@@ -223,10 +223,11 @@ type Cfg struct {
 	EnterpriseLicensePath            string
 
 	LoginCookieName                   string
-	LoginCookieSecure                 bool
 	LoginCookieMaxDays                int
 	LoginCookieRotation               int
 	LoginDeleteExpiredTokensAfterDays int
+
+	SecurityHTTPSCookies bool
 }
 
 type CommandLineArgs struct {
@@ -554,7 +555,6 @@ func (cfg *Cfg) Load(args *CommandLineArgs) error {
 	login := iniFile.Section("login")
 	cfg.LoginCookieName = login.Key("cookie_name").MustString("grafana_session")
 	cfg.LoginCookieMaxDays = login.Key("login_remember_days").MustInt(7)
-	cfg.LoginCookieSecure = login.Key("cookie_secure").MustBool(false)
 	cfg.LoginDeleteExpiredTokensAfterDays = login.Key("delete_expired_token_after_days").MustInt(30)
 	cfg.LoginCookieRotation = login.Key("rotate_token_minutes").MustInt(30)
 	if cfg.LoginCookieRotation < 2 {
@@ -603,6 +603,7 @@ func (cfg *Cfg) Load(args *CommandLineArgs) error {
 	SecretKey = security.Key("secret_key").String()
 	DisableGravatar = security.Key("disable_gravatar").MustBool(true)
 	cfg.DisableBruteForceLoginProtection = security.Key("disable_brute_force_login_protection").MustBool(false)
+	cfg.SecurityHTTPSCookies = security.Key("https_flag_cookies").MustBool(false)
 	DisableBruteForceLoginProtection = cfg.DisableBruteForceLoginProtection
 
 	// read snapshots settings