[installer] Add JWT cookie opts to config WEB-101 (#17332)

* retest

* retest

* [installer] Add cookie name to config

* Fix

* fix

Author: easyCZ

components/public-api/go/config/config.go

@@ -52,8 +52,17 @@ type AuthConfiguration struct {
 }
 
 type SessionConfig struct {
-	LifetimeSeconds int64  `json:"lifetimeSeconds"`
-	Issuer          string `json:"issuer"`
+	LifetimeSeconds int64        `json:"lifetimeSeconds"`
+	Issuer          string       `json:"issuer"`
+	Cookie          CookieConfig `json:"cookie"`
+}
+
+type CookieConfig struct {
+	Name     string `json:"name"`
+	MaxAge   int64  `json:"maxAge"`
+	SameSite string `json:"sameSite"`
+	Secure   bool   `json:"secure"`
+	HTTPOnly bool   `json:"httpOnly"`
 }
 
 type AuthPKIConfiguration struct {

components/server/src/auth/login-completion-handler.ts

@@ -100,11 +100,11 @@ export class LoginCompletionHandler {
         if (isJWTCookieExperimentEnabled) {
             const token = await this.authJWT.sign(user.id, {});
 
-            response.cookie(SessionHandlerProvider.getJWTCookieName(this.config.hostUrl), token, {
-                maxAge: this.config.session.maxAgeMs,
-                httpOnly: true,
-                sameSite: "lax",
-                secure: true,
+            response.cookie(SessionHandlerProvider.getJWTCookieName(this.config), token, {
+                maxAge: this.config.auth.session.cookie.maxAge,
+                httpOnly: this.config.auth.session.cookie.httpOnly,
+                sameSite: this.config.auth.session.cookie.sameSite,
+                secure: this.config.auth.session.cookie.secure,
             });
 
             reportJWTCookieIssued();

components/server/src/config.ts

@@ -55,6 +55,7 @@ export type Config = Omit<
         session: {
             lifetimeSeconds: number;
             issuer: string;
+            cookie: CookieConfig;
         };
     };
 };
@@ -258,10 +259,19 @@ export interface ConfigSerialized {
         session: {
             lifetimeSeconds: number;
             issuer: string;
+            cookie: CookieConfig;
         };
     };
 }
 
+export interface CookieConfig {
+    name: string;
+    maxAge: number;
+    sameSite: boolean | "lax" | "strict" | "none";
+    secure: boolean;
+    httpOnly: boolean;
+}
+
 export interface AuthPKIConfig {
     signing: KeyPair;
     validating?: KeyPair[];

components/server/src/session-handler.ts

@@ -15,7 +15,6 @@ const MySQLStore = mysqlstore(session);
 import { log } from "@gitpod/gitpod-protocol/lib/util/logging";
 import { Config as DBConfig } from "@gitpod/gitpod-db/lib/config";
 import { Config } from "./config";
-import { GitpodHostUrl } from "@gitpod/gitpod-protocol/lib/util/gitpod-host-url";
 
 @injectable()
 export class SessionHandlerProvider {
@@ -66,12 +65,8 @@ export class SessionHandlerProvider {
         return `${derived}v2_`;
     }
 
-    static getJWTCookieName(hostURL: GitpodHostUrl) {
-        const derived = hostURL
-            .toString()
-            .replace(/https?/, "")
-            .replace(/[\W_]+/g, "_");
-        return `${derived}jwt_`;
+    static getJWTCookieName(config: Config) {
+        return config.auth.session.cookie.name;
     }
 
     public clearSessionCookie(res: express.Response, config: Config): void {
@@ -82,7 +77,7 @@ export class SessionHandlerProvider {
         delete options.maxAge;
         res.clearCookie(name, options);
 
-        res.clearCookie(SessionHandlerProvider.getJWTCookieName(this.config.hostUrl));
+        res.clearCookie(SessionHandlerProvider.getJWTCookieName(this.config));
     }
 
     protected createStore(): any | undefined {

install/installer/pkg/components/auth/config.go

@@ -6,6 +6,7 @@ package auth
 
 import (
 	"fmt"
+	"regexp"
 	"time"
 
 	"github.com/gitpod-io/gitpod/installer/pkg/common"
@@ -21,17 +22,41 @@ type Config struct {
 
 type SessionConfig struct {
 	// How long shoud the session be valid for?
-	LifetimeSeconds int64  `json:"lifetimeSeconds"`
-	Issuer          string `json:"issuer"`
+	LifetimeSeconds int64        `json:"lifetimeSeconds"`
+	Issuer          string       `json:"issuer"`
+	Cookie          CookieConfig `json:"cookie"`
+}
+
+type CookieConfig struct {
+	Name     string `json:"name"`
+	MaxAge   int64  `json:"maxAge"`
+	SameSite string `json:"sameSite"`
+	Secure   bool   `json:"secure"`
+	HTTPOnly bool   `json:"httpOnly"`
 }
 
 func GetConfig(ctx *common.RenderContext) ([]corev1.Volume, []corev1.VolumeMount, Config) {
 	volumes, mounts, pki := getPKI()
+	lifetime := int64((7 * 24 * time.Hour).Seconds())
 	return volumes, mounts, Config{
 		PKI: pki,
 		Session: SessionConfig{
-			LifetimeSeconds: int64((7 * 24 * time.Hour).Seconds()),
+			LifetimeSeconds: lifetime,
 			Issuer:          fmt.Sprintf("https://%s", ctx.Config.Domain),
+			Cookie: CookieConfig{
+				// Caution: changing these have security implications for the application. Make sure you understand what you're doing.
+				Name:     cookieNameFromDomain(ctx.Config.Domain),
+				MaxAge:   lifetime,
+				SameSite: "lax",
+				Secure:   true,
+				HTTPOnly: true,
+			},
 		},
 	}
 }
+
+func cookieNameFromDomain(domain string) string {
+	// replace all non-word characters with underscores
+	derived := regexp.MustCompile(`[\W_]+`).ReplaceAllString(domain, "_")
+	return "_" + derived + "_jwt_"
+}

install/installer/pkg/components/auth/config_test.go

@@ -0,0 +1,65 @@
+// Copyright (c) 2023 Gitpod GmbH. All rights reserved.
+// Licensed under the GNU Affero General Public License (AGPL).
+// See License.AGPL.txt in the project root for license information.
+
+package auth
+
+import "testing"
+
+func TestCookieNameFromDomain(t *testing.T) {
+	tests := []struct {
+		name            string
+		domain          string
+		expectedOutcome string
+	}{
+		{
+			name:            "Simple Domain",
+			domain:          "example.com",
+			expectedOutcome: "_example_com_jwt_",
+		},
+		{
+			name:            "Domain with Underscore",
+			domain:          "example_test.com",
+			expectedOutcome: "_example_test_com_jwt_",
+		},
+		{
+			name:            "Domain with Hyphen",
+			domain:          "example-test.com",
+			expectedOutcome: "_example_test_com_jwt_",
+		},
+		{
+			name:            "Domain with Special Characters",
+			domain:          "example&test.com",
+			expectedOutcome: "_example_test_com_jwt_",
+		},
+		{
+			name:            "Subdomain",
+			domain:          "subdomain.example.com",
+			expectedOutcome: "_subdomain_example_com_jwt_",
+		},
+		{
+			name:            "Subdomain with Hyphen",
+			domain:          "sub-domain.example.com",
+			expectedOutcome: "_sub_domain_example_com_jwt_",
+		},
+		{
+			name:            "Subdomain with Underscore",
+			domain:          "sub_domain.example.com",
+			expectedOutcome: "_sub_domain_example_com_jwt_",
+		},
+		{
+			name:            "Subdomain with Special Characters",
+			domain:          "sub&domain.example.com",
+			expectedOutcome: "_sub_domain_example_com_jwt_",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			actual := cookieNameFromDomain(tt.domain)
+			if actual != tt.expectedOutcome {
+				t.Errorf("expected %q, got %q", tt.expectedOutcome, actual)
+			}
+		})
+	}
+}

install/installer/pkg/components/public-api-server/configmap.go

@@ -74,6 +74,13 @@ func configmap(ctx *common.RenderContext) ([]runtime.Object, error) {
 			Session: config.SessionConfig{
 				LifetimeSeconds: authCfg.Session.LifetimeSeconds,
 				Issuer:          authCfg.Session.Issuer,
+				Cookie: config.CookieConfig{
+					Name:     authCfg.Session.Cookie.Name,
+					MaxAge:   authCfg.Session.Cookie.MaxAge,
+					SameSite: authCfg.Session.Cookie.SameSite,
+					Secure:   authCfg.Session.Cookie.Secure,
+					HTTPOnly: authCfg.Session.Cookie.HTTPOnly,
+				},
 			},
 		},
 		Server: &baseserver.Configuration{

install/installer/pkg/components/public-api-server/configmap_test.go

@@ -69,6 +69,13 @@ func TestConfigMap(t *testing.T) {
 			Session: config.SessionConfig{
 				LifetimeSeconds: int64((24 * 7 * time.Hour).Seconds()),
 				Issuer:          "https://test.domain.everything.awesome.is",
+				Cookie: config.CookieConfig{
+					Name:     "_test_domain_everything_awesome_is_jwt_",
+					MaxAge:   int64((24 * 7 * time.Hour).Seconds()),
+					SameSite: "lax",
+					Secure:   true,
+					HTTPOnly: true,
+				},
 			},
 		},
 		Server: &baseserver.Configuration{

install/installer/pkg/components/server/configmap_test.go

@@ -66,6 +66,13 @@ func TestConfigMap(t *testing.T) {
 			Session: auth.SessionConfig{
 				LifetimeSeconds: int64((7 * 24 * time.Hour).Seconds()),
 				Issuer:          "https://awesome.domain",
+				Cookie: auth.CookieConfig{
+					Name:     "_awesome_domain_jwt_",
+					MaxAge:   int64((7 * 24 * time.Hour).Seconds()),
+					SameSite: "lax",
+					Secure:   true,
+					HTTPOnly: true,
+				},
 			},
 		},
 	}