IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity
27,354 Commits 5,454 Branches 554 Tags 1.9 GiB
924212b42b
Commit Graph

4 Commits

Author SHA1 Message Date
Arve Knudsen
8d5b0084f1
Middleware: Simplifications (#29491) 
* Middleware: Simplify

Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>

* middleware: Rename auth_proxy directory to authproxy

Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
 2020-12-02 12:44:51 +01:00
Erik Sundell
d94796a022
Auth: Remove trailing / in cookies' path (#22265) (#22265) 
According to the stackoverflow answer below, it is recommended to not
include a trailing / in cookies' path. By removing the trailing / for
our cookies path value, people's browsers visiting grafana will pass the
cookie not only to /grafana/ sub paths but also to /grafana sub paths.

This commit avoids the situation where a user would visit
http://localhost/grafana, get redirected to
http://localhost/grafana/login, and following login get redirected back
to http://localhost/grafana, but since the grafana_session cookie isn't
passed along get redirected back once more to
http://localhost/grafana/login.

ref: https://stackoverflow.com/questions/36131023/setting-a-slash-on-cookie-path/53784228#53784228
ref: https://tools.ietf.org/html/rfc6265#section-5.1.4
 2020-04-06 17:56:19 +03:00
Marcus Efraimsson
a1579283a6
Add disabled option for cookie samesite attribute (#21472) 
Breaking change: If disabled the cookie samesite cookie attribute
will not be set, but if none the attribute will be set and is a
breaking change compared to before where none did not render the
attribute. This was due to a known issue in Safari.

Co-Authored-By: Arve Knudsen <arve.knudsen@gmail.com>
Co-Authored-By: Diana Payton <52059945+oddlittlebird@users.noreply.github.com>

Fixes #19847
 2020-01-14 17:41:54 +01:00
Jeffrey Descan
c5f906f472 Security: refactor 'redirect_to' cookie to use 'Secure' flag (#19787) 
* Refactor redirect_to cookie with secure flag in middleware

* Refactor redirect_to cookie with secure flag in api/login

* Refactor redirect_to cookie with secure flag in api/login_oauth

* Removed the deletion of 'Set-Cookie' header to prevent logout

* Removed the deletion of 'Set-Cookie' at top of api/login.go

* Add HttpOnly flag on redirect_to cookies where missing

* Refactor duplicated code

* Add tests

* Refactor cookie options

* Replace local function for deleting cookie

* Delete redundant calls

Co-authored-by: Sofia Papagiannaki <papagian@users.noreply.github.com>
 2020-01-10 15:55:30 +02:00