fix(api): http cookies properties (#5792)

Signed-off-by: francois  samin <[email protected]>

engine/api/api.go

@@ -878,26 +878,29 @@ func (a *API) Serve(ctx context.Context) error {
 // This will returns a cookie with no expiration date that should be dropped by browser when closed.
 func (a *API) SetCookieSession(w http.ResponseWriter, name, value string) {
 	a.setCookie(w, &http.Cookie{
-		Name:  name,
-		Value: value,
+		Name:     name,
+		Value:    value,
+		HttpOnly: false,
 	})
 }
 
 // SetCookie on given response writter, automatically add domain and path based on api config.
-func (a *API) SetCookie(w http.ResponseWriter, name, value string, expires time.Time) {
+func (a *API) SetCookie(w http.ResponseWriter, name, value string, expires time.Time, httpOnly bool) {
 	a.setCookie(w, &http.Cookie{
-		Name:    name,
-		Value:   value,
-		Expires: expires,
+		Name:     name,
+		Value:    value,
+		Expires:  expires,
+		HttpOnly: httpOnly,
 	})
 }
 
 // UnsetCookie on given response writter, automatically add domain and path based on api config.
-func (a *API) UnsetCookie(w http.ResponseWriter, name string) {
+func (a *API) UnsetCookie(w http.ResponseWriter, name string, httpOnly bool) {
 	a.setCookie(w, &http.Cookie{
-		Name:   name,
-		Value:  "",
-		MaxAge: -1,
+		Name:     name,
+		Value:    "",
+		MaxAge:   -1,
+		HttpOnly: httpOnly,
 	})
 }
 
@@ -910,6 +913,12 @@ func (a *API) setCookie(w http.ResponseWriter, c *http.Cookie) {
 			c.Path = "/"
 		}
 	}
+	c.SameSite = http.SameSiteStrictMode
+	c.Secure = true
+	uiURL, _ := url.Parse(a.Config.URL.UI)
+	if uiURL != nil && uiURL.Hostname() != "" {
+		c.Domain = uiURL.Hostname()
+	}
 	http.SetCookie(w, c)
 }
 

engine/api/auth.go

@@ -291,7 +291,7 @@ func (api *API) postAuthSigninHandler() service.Handler {
 		}
 
 		// Set a cookie with the jwt token
-		api.SetCookie(w, service.JWTCookieName, jwt, session.ExpireAt)
+		api.SetCookie(w, service.JWTCookieName, jwt, session.ExpireAt, true)
 
 		// Prepare http response
 		resp := sdk.AuthConsumerSigninResponse{
@@ -313,7 +313,7 @@ func (api *API) postAuthSignoutHandler() service.Handler {
 		}
 
 		// Delete the jwt cookie value
-		api.UnsetCookie(w, service.JWTCookieName)
+		api.UnsetCookie(w, service.JWTCookieName, true)
 
 		return service.WriteJSON(w, nil, http.StatusOK)
 	}
@@ -356,7 +356,7 @@ func (api *API) postAuthDetachHandler() service.Handler {
 
 		// If we just removed the current consumer, clean http cookie.
 		if consumer.ID == currentConsumer.ID {
-			api.UnsetCookie(w, service.JWTCookieName)
+			api.UnsetCookie(w, service.JWTCookieName, true)
 		}
 
 		return service.WriteJSON(w, nil, http.StatusOK)

engine/api/auth_builtin.go

@@ -65,7 +65,7 @@ func (api *API) postAuthBuiltinSigninHandler() service.Handler {
 		}
 
 		// Set a cookie with the jwt token
-		api.SetCookie(w, service.JWTCookieName, jwt, session.ExpireAt)
+		api.SetCookie(w, service.JWTCookieName, jwt, session.ExpireAt, true)
 
 		usr, err := user.LoadByID(ctx, tx, consumer.AuthentifiedUserID)
 		if err != nil {

engine/api/auth_local.go

@@ -220,7 +220,7 @@ func (api *API) postAuthLocalSigninHandler() service.Handler {
 		}
 
 		// Set a cookie with the jwt token
-		api.SetCookie(w, service.JWTCookieName, jwt, session.ExpireAt)
+		api.SetCookie(w, service.JWTCookieName, jwt, session.ExpireAt, true)
 
 		// Prepare http response
 		resp := sdk.AuthConsumerSigninResponse{
@@ -353,7 +353,7 @@ func (api *API) postAuthLocalVerifyHandler() service.Handler {
 		local.CleanVerifyConsumerToken(api.Cache, consumer.ID)
 
 		// Set a cookie with the jwt token
-		api.SetCookie(w, service.JWTCookieName, jwt, session.ExpireAt)
+		api.SetCookie(w, service.JWTCookieName, jwt, session.ExpireAt, true)
 
 		// Prepare http response
 		resp := sdk.AuthConsumerSigninResponse{
@@ -521,7 +521,7 @@ func (api *API) postAuthLocalResetHandler() service.Handler {
 		local.CleanResetConsumerToken(api.Cache, consumer.ID)
 
 		// Set a cookie with the jwt token
-		api.SetCookie(w, service.JWTCookieName, jwt, session.ExpireAt)
+		api.SetCookie(w, service.JWTCookieName, jwt, session.ExpireAt, true)
 
 		// Prepare http response
 		resp := sdk.AuthConsumerSigninResponse{