Add block key for oauth

claceio · Dec 15, 2024 · e506189 · e506189
1 parent 0a68355
commit e506189
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 4 deletions.
diff --git a/internal/server/sso_auth.go b/internal/server/sso_auth.go
@@ -6,7 +6,6 @@ package server
 import (
 	"crypto/rand"
 	"fmt"
-	"io"
 	"net/http"
 	"strings"
 
@@ -66,20 +65,39 @@ func genCookieName(provider string) string {
 	return fmt.Sprintf("%s_%s", provider, SESSION_COOKIE)
 }
 
+func generateRandomKey(length int) (string, error) {
+	key := make([]byte, length)
+	_, err := rand.Read(key)
+	if err != nil {
+		return "", err
+	}
+	return string(key), nil
+}
+
 func (s *SSOAuth) Setup() error {
+	var err error
 	sessionKey := s.config.Security.SessionSecret
 	if sessionKey == "" {
-		k := make([]byte, 32)
-		if _, err := io.ReadFull(rand.Reader, k); err != nil {
+		sessionKey, err = generateRandomKey(32)
+		if err != nil {
+			return err
+		}
+	}
+
+	sessionBlockKey := s.config.Security.SessionBlockKey
+	if sessionBlockKey == "" {
+		sessionBlockKey, err = generateRandomKey(32)
+		if err != nil {
 			return err
 		}
 	}
 
-	s.cookieStore = sessions.NewCookieStore([]byte(sessionKey))
+	s.cookieStore = sessions.NewCookieStore([]byte(sessionKey), []byte(sessionBlockKey))
 	s.cookieStore.MaxAge(s.config.Security.SessionMaxAge)
 	s.cookieStore.Options.Path = "/"
 	s.cookieStore.Options.HttpOnly = true
 	s.cookieStore.Options.Secure = s.config.Security.SessionHttpsOnly
+	s.cookieStore.Options.SameSite = http.SameSiteLaxMode
 
 	gothic.Store = s.cookieStore // Set the store for gothic
 	gothic.GetProviderName = getProviderName

diff --git a/internal/system/clace.default.toml b/internal/system/clace.default.toml
@@ -29,6 +29,7 @@ disable_client_certs = true                    # disable client certs for HTTPS
 admin_over_tcp = false            # enable admin API's over TCP (HTTP/HTTPS). Admin is over UDS only by default
 admin_password_bcrypt = ""        # the password bcrypt value
 session_secret = ""               # the secret key for session cookie. Auto generated on server startup if not set
+session_block_key = ""            # the block key for session cookie. Auto generated on server startup if not set
 session_max_age = 86400           # session max age in seconds
 session_https_only = true         # session cookie is HTTPS only
 app_default_auth_type = "system"  # default auth type for apps, "system" or "none" or custom auth

diff --git a/internal/types/types.go b/internal/types/types.go
@@ -166,6 +166,7 @@ type SecurityConfig struct {
 	AppDefaultAuthType        string `toml:"app_default_auth_type"`
 	AppDefaultSecretsProvider string `toml:"app_default_secrets_provider"`
 	SessionSecret             string `toml:"session_secret"`
+	SessionBlockKey           string `toml:"session_block_key"`
 	SessionMaxAge             int    `toml:"session_max_age"`
 	SessionHttpsOnly          bool   `toml:"session_https_only"`
 	CallbackUrl               string `toml:"callback_url"`