change cookie samesite to none (#210)

* change cookie samesite to none * make cookie samesite mode configurable * better config usage
gobitfly · Apr 17, 2024 · 57af3e0 · 57af3e0
1 parent 27e9eb2
commit 57af3e0
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 4 deletions.
diff --git a/backend/cmd/api/main.go b/backend/cmd/api/main.go
@@ -48,7 +48,7 @@ func main() {
 	}
 	defer dataAccessor.CloseDataAccessService()
 
-	sessionManager := api.NewSessionManager(cfg.RedisCacheEndpoint, !cfg.Frontend.Debug)
+	sessionManager := api.NewSessionManager(cfg)
 
 	router := api.NewApiRouter(dataAccessor, sessionManager)
 	router.Use(api.GetCorsMiddleware(cfg.CorsAllowedHosts), api.GetAuthMiddleware(cfg.ApiKeySecret))

diff --git a/backend/pkg/api/auth.go b/backend/pkg/api/auth.go
@@ -6,15 +6,16 @@ import (
 
 	"github.com/alexedwards/scs/redisstore"
 	"github.com/alexedwards/scs/v2"
+	"github.com/gobitfly/beaconchain/pkg/commons/types"
 	"github.com/gomodule/redigo/redis"
 )
 
-func NewSessionManager(redisEndpoint string, secure bool) *scs.SessionManager {
+func NewSessionManager(cfg *types.Config) *scs.SessionManager {
 	// TODO: replace redis with user db down the line (or replace sessions with oauth2)
 	pool := &redis.Pool{
 		MaxIdle: 10,
 		Dial: func() (redis.Conn, error) {
-			return redis.Dial("tcp", redisEndpoint)
+			return redis.Dial("tcp", cfg.RedisCacheEndpoint)
 		},
 	}
 
@@ -23,8 +24,14 @@ func NewSessionManager(redisEndpoint string, secure bool) *scs.SessionManager {
 	scs.Cookie.Name = "session_id"
 	scs.Cookie.HttpOnly = true
 	scs.Cookie.Persist = true
-	scs.Cookie.SameSite = http.SameSiteLaxMode
+	sameSite := http.SameSiteLaxMode
+	secure := !cfg.Frontend.Debug
+	if cfg.Frontend.SessionSameSiteNone {
+		sameSite = http.SameSiteNoneMode
+		secure = true
+	}
 	scs.Cookie.Secure = secure
+	scs.Cookie.SameSite = sameSite
 
 	scs.Store = redisstore.New(pool)
 

diff --git a/backend/pkg/commons/types/config.go b/backend/pkg/commons/types/config.go
@@ -171,6 +171,7 @@ type Config struct {
 			DiamondMonth  int `yaml:"diamondMonth" envconfig:"FRONTEND_RATELIMITS_DIAMOND_MONTH"`
 		} `yaml:"ratelimits"`
 		SessionSecret          string `yaml:"sessionSecret" envconfig:"FRONTEND_SESSION_SECRET"`
+		SessionSameSiteNone    bool   `yaml:"sessionSameSiteNone" envconfig:"FRONTEND_SESSION_SAMESITE_NONE"`
 		JwtSigningSecret       string `yaml:"jwtSigningSecret" envconfig:"FRONTEND_JWT_SECRET"`
 		JwtIssuer              string `yaml:"jwtIssuer" envconfig:"FRONTEND_JWT_ISSUER"`
 		JwtValidityInMinutes   int    `yaml:"jwtValidityInMinutes" envconfig:"FRONTEND_JWT_VALIDITY_INMINUTES"`