Skip to content

Commit 83eae5e

Browse files
committed
fix: make secure cookie settings conditional on dev mode
Closes #2937 Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>
1 parent 300adaf commit 83eae5e

2 files changed

Lines changed: 28 additions & 15 deletions

File tree

app/controlplane/internal/server/http.go

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
//
2-
// Copyright 2024 The Chainloop Authors.
2+
// Copyright 2024-2026 The Chainloop Authors.
33
//
44
// Licensed under the Apache License, Version 2.0 (the "License");
55
// you may not use this file except in compliance with the License.
@@ -60,6 +60,8 @@ func NewHTTPServer(opts *Opts, grpcSrv *grpc.Server) (*http.Server, error) {
6060

6161
// initialize the underneath http server
6262
httpSrv := http.NewServer(serverOpts...)
63+
// Relax secure cookie settings in development mode
64+
opts.AuthSvc.SetDevMode(Version == "dev")
6365
// NOTE: these non-grpc transcoded methods DO NOT RUN the middlewares
6466
httpSrv.Handle(service.AuthLoginPath, middlewares_http.Logging(opts.Logger, opts.AuthSvc.RegisterLoginHandler()))
6567
httpSrv.Handle(service.AuthCallbackPath, middlewares_http.Logging(opts.Logger, opts.AuthSvc.RegisterCallbackHandler()))

app/controlplane/internal/service/auth.go

Lines changed: 25 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
//
2-
// Copyright 2024-2025 The Chainloop Authors.
2+
// Copyright 2024-2026 The Chainloop Authors.
33
//
44
// Licensed under the Apache License, Version 2.0 (the "License");
55
// you may not use this file except in compliance with the License.
@@ -114,6 +114,7 @@ type AuthService struct {
114114
orgInvitesUseCase *biz.OrgInvitationUseCase
115115
AuthURLs *AuthURLs
116116
auditorUseCase *biz.AuditorUseCase
117+
devMode bool
117118
}
118119

119120
func NewAuthService(userUC *biz.UserUseCase, orgUC *biz.OrganizationUseCase, mUC *biz.MembershipUseCase, inviteUC *biz.OrgInvitationUseCase, authConfig *conf.Auth, serverConfig *conf.Server, auc *biz.AuditorUseCase, opts ...NewOpt) (*AuthService, error) {
@@ -195,6 +196,11 @@ func craftAuthURLs(scheme, host, path string) *AuthURLs {
195196
return &AuthURLs{Login: login.String(), callback: callback.String()}
196197
}
197198

199+
// SetDevMode configures the service to relax secure cookie settings for local development.
200+
func (svc *AuthService) SetDevMode(devMode bool) {
201+
svc.devMode = devMode
202+
}
203+
198204
func (svc *AuthService) RegisterCallbackHandler() http.Handler {
199205
return oauthHandler{callbackHandler, svc}
200206
}
@@ -223,13 +229,13 @@ func loginHandler(svc *AuthService, w http.ResponseWriter, r *http.Request) *oau
223229

224230
// Store a random string to check it in the oauth callback
225231
state := base64.URLEncoding.EncodeToString(b)
226-
setOauthCookie(w, cookieOauthStateName, state)
232+
svc.setOauthCookie(w, cookieOauthStateName, state)
227233

228234
// Store the final destination where the auth token will be pushed to, i.e the CLI
229-
setOauthCookie(w, cookieCallback, r.URL.Query().Get(oauth.QueryParamCallback))
235+
svc.setOauthCookie(w, cookieCallback, r.URL.Query().Get(oauth.QueryParamCallback))
230236

231237
// Wether the token should be short lived or not
232-
setOauthCookie(w, cookieLongLived, r.URL.Query().Get(oauth.QueryParamLongLived))
238+
svc.setOauthCookie(w, cookieLongLived, r.URL.Query().Get(oauth.QueryParamLongLived))
233239

234240
authorizationURI := svc.authenticator.AuthCodeURL(state)
235241

@@ -433,16 +439,21 @@ func generateUserJWT(userID, passphrase string, expiration time.Duration) (strin
433439
return b.GenerateJWT(userID)
434440
}
435441

436-
func setOauthCookie(w http.ResponseWriter, name, value string) {
437-
http.SetCookie(w, &http.Cookie{
438-
Name: name,
439-
Value: value,
440-
Path: "/",
441-
Expires: time.Now().Add(10 * time.Minute),
442-
HttpOnly: true,
443-
Secure: true,
444-
SameSite: http.SameSiteLaxMode,
445-
})
442+
func (svc *AuthService) setOauthCookie(w http.ResponseWriter, name, value string) {
443+
cookie := &http.Cookie{
444+
Name: name,
445+
Value: value,
446+
Path: "/",
447+
Expires: time.Now().Add(10 * time.Minute),
448+
}
449+
450+
if !svc.devMode {
451+
cookie.HttpOnly = true
452+
cookie.Secure = true
453+
cookie.SameSite = http.SameSiteLaxMode
454+
}
455+
456+
http.SetCookie(w, cookie)
446457
}
447458

448459
func generateAndLogDevUser(userUC *biz.UserUseCase, log *log.Helper, authConfig *conf.Auth) error {

0 commit comments

Comments
 (0)