From a668454a11e1557aa834c358252353d7957a8296 Mon Sep 17 00:00:00 2001 From: Thom Seddon Date: Tue, 12 May 2020 13:20:51 +0100 Subject: [PATCH] Warn when using http without insecure cookie Closes #114 --- internal/server.go | 7 +++++++ internal/server_test.go | 12 ++++++++++++ 2 files changed, 19 insertions(+) diff --git a/internal/server.go b/internal/server.go index 5e1754f..2dc1809 100644 --- a/internal/server.go +++ b/internal/server.go @@ -193,6 +193,12 @@ func (s *Server) authRedirect(logger *logrus.Entry, w http.ResponseWriter, r *ht csrf := MakeCSRFCookie(r, nonce) http.SetCookie(w, csrf) + if !config.InsecureCookie && r.Header.Get("X-Forwarded-Proto") != "https" { + logger.Warn("You are using \"secure\" cookies for a request that was not " + + "received via https. You should either redirect to https or pass the " + + "\"insecure-cookie\" config option to permit cookies via http.") + } + // Forward them on loginURL := p.GetLoginURL(redirectUri(r), MakeState(r, p, nonce)) http.Redirect(w, r, loginURL, http.StatusTemporaryRedirect) @@ -209,6 +215,7 @@ func (s *Server) logger(r *http.Request, handler, rule, msg string) *logrus.Entr "handler": handler, "rule": rule, "method": r.Header.Get("X-Forwarded-Method"), + "proto": r.Header.Get("X-Forwarded-Proto"), "host": r.Header.Get("X-Forwarded-Host"), "uri": r.Header.Get("X-Forwarded-Uri"), "source_ip": r.Header.Get("X-Forwarded-For"), diff --git a/internal/server_test.go b/internal/server_test.go index 42919bc..7f52e7e 100644 --- a/internal/server_test.go +++ b/internal/server_test.go @@ -10,6 +10,8 @@ import ( "testing" "time" + "github.com/sirupsen/logrus" + "github.com/sirupsen/logrus/hooks/test" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "golang.org/x/oauth2" @@ -32,6 +34,8 @@ func init() { func TestServerAuthHandlerInvalid(t *testing.T) { assert := assert.New(t) config = newDefaultConfig() + var hook *test.Hook + log, hook = test.NewNullLogger() // Should redirect vanilla request to login url req := newDefaultHttpRequest("/foo") @@ -53,6 +57,14 @@ func TestServerAuthHandlerInvalid(t *testing.T) { assert.Equal("google", parts[1]) assert.Equal("http://example.com/foo", parts[2]) + // Should warn as using http without insecure cookie + logs := hook.AllEntries() + assert.Len(logs, 1) + assert.Equal("You are using \"secure\" cookies for a request that was not "+ + "received via https. You should either redirect to https or pass the "+ + "\"insecure-cookie\" config option to permit cookies via http.", logs[0].Message) + assert.Equal(logrus.WarnLevel, logs[0].Level) + // Should catch invalid cookie req = newDefaultHttpRequest("/foo") c := MakeCookie(req, "test@example.com")