|
1 | 1 | // |
2 | | -// Copyright 2024-2025 The Chainloop Authors. |
| 2 | +// Copyright 2024-2026 The Chainloop Authors. |
3 | 3 | // |
4 | 4 | // Licensed under the Apache License, Version 2.0 (the "License"); |
5 | 5 | // you may not use this file except in compliance with the License. |
@@ -114,6 +114,7 @@ type AuthService struct { |
114 | 114 | orgInvitesUseCase *biz.OrgInvitationUseCase |
115 | 115 | AuthURLs *AuthURLs |
116 | 116 | auditorUseCase *biz.AuditorUseCase |
| 117 | + devMode bool |
117 | 118 | } |
118 | 119 |
|
119 | 120 | func NewAuthService(userUC *biz.UserUseCase, orgUC *biz.OrganizationUseCase, mUC *biz.MembershipUseCase, inviteUC *biz.OrgInvitationUseCase, authConfig *conf.Auth, serverConfig *conf.Server, auc *biz.AuditorUseCase, opts ...NewOpt) (*AuthService, error) { |
@@ -195,6 +196,11 @@ func craftAuthURLs(scheme, host, path string) *AuthURLs { |
195 | 196 | return &AuthURLs{Login: login.String(), callback: callback.String()} |
196 | 197 | } |
197 | 198 |
|
| 199 | +// SetDevMode configures the service to relax secure cookie settings for local development. |
| 200 | +func (svc *AuthService) SetDevMode(devMode bool) { |
| 201 | + svc.devMode = devMode |
| 202 | +} |
| 203 | + |
198 | 204 | func (svc *AuthService) RegisterCallbackHandler() http.Handler { |
199 | 205 | return oauthHandler{callbackHandler, svc} |
200 | 206 | } |
@@ -223,13 +229,13 @@ func loginHandler(svc *AuthService, w http.ResponseWriter, r *http.Request) *oau |
223 | 229 |
|
224 | 230 | // Store a random string to check it in the oauth callback |
225 | 231 | state := base64.URLEncoding.EncodeToString(b) |
226 | | - setOauthCookie(w, cookieOauthStateName, state) |
| 232 | + svc.setOauthCookie(w, cookieOauthStateName, state) |
227 | 233 |
|
228 | 234 | // Store the final destination where the auth token will be pushed to, i.e the CLI |
229 | | - setOauthCookie(w, cookieCallback, r.URL.Query().Get(oauth.QueryParamCallback)) |
| 235 | + svc.setOauthCookie(w, cookieCallback, r.URL.Query().Get(oauth.QueryParamCallback)) |
230 | 236 |
|
231 | 237 | // Wether the token should be short lived or not |
232 | | - setOauthCookie(w, cookieLongLived, r.URL.Query().Get(oauth.QueryParamLongLived)) |
| 238 | + svc.setOauthCookie(w, cookieLongLived, r.URL.Query().Get(oauth.QueryParamLongLived)) |
233 | 239 |
|
234 | 240 | authorizationURI := svc.authenticator.AuthCodeURL(state) |
235 | 241 |
|
@@ -433,16 +439,21 @@ func generateUserJWT(userID, passphrase string, expiration time.Duration) (strin |
433 | 439 | return b.GenerateJWT(userID) |
434 | 440 | } |
435 | 441 |
|
436 | | -func setOauthCookie(w http.ResponseWriter, name, value string) { |
437 | | - http.SetCookie(w, &http.Cookie{ |
438 | | - Name: name, |
439 | | - Value: value, |
440 | | - Path: "/", |
441 | | - Expires: time.Now().Add(10 * time.Minute), |
442 | | - HttpOnly: true, |
443 | | - Secure: true, |
444 | | - SameSite: http.SameSiteLaxMode, |
445 | | - }) |
| 442 | +func (svc *AuthService) setOauthCookie(w http.ResponseWriter, name, value string) { |
| 443 | + cookie := &http.Cookie{ |
| 444 | + Name: name, |
| 445 | + Value: value, |
| 446 | + Path: "/", |
| 447 | + Expires: time.Now().Add(10 * time.Minute), |
| 448 | + } |
| 449 | + |
| 450 | + if !svc.devMode { |
| 451 | + cookie.HttpOnly = true |
| 452 | + cookie.Secure = true |
| 453 | + cookie.SameSite = http.SameSiteLaxMode |
| 454 | + } |
| 455 | + |
| 456 | + http.SetCookie(w, cookie) |
446 | 457 | } |
447 | 458 |
|
448 | 459 | func generateAndLogDevUser(userUC *biz.UserUseCase, log *log.Helper, authConfig *conf.Auth) error { |
|
0 commit comments