Fix

Author: easyCZ

components/public-api/go/config/config.go

@@ -52,9 +52,17 @@ type AuthConfiguration struct {
 }
 
 type SessionConfig struct {
-	LifetimeSeconds int64  `json:"lifetimeSeconds"`
-	Issuer          string `json:"issuer"`
-	CookieName      string `json:"cookieName"`
+	LifetimeSeconds int64        `json:"lifetimeSeconds"`
+	Issuer          string       `json:"issuer"`
+	Cookie          CookieConfig `json:"cookie"`
+}
+
+type CookieConfig struct {
+	Name     string `json:"name"`
+	MaxAge   int64  `json:"maxAge"`
+	SameSite string `json:"sameSite"`
+	Secure   bool   `json:"secure"`
+	HTTPOnly bool   `json:"httpOnly"`
 }
 
 type AuthPKIConfiguration struct {

components/server/src/auth/login-completion-handler.ts

@@ -100,11 +100,11 @@ export class LoginCompletionHandler {
         if (isJWTCookieExperimentEnabled) {
             const token = await this.authJWT.sign(user.id, {});
 
-            response.cookie(SessionHandlerProvider.getJWTCookieName(this.config.hostUrl), token, {
-                maxAge: this.config.session.maxAgeMs,
-                httpOnly: true,
-                sameSite: "lax",
-                secure: true,
+            response.cookie(SessionHandlerProvider.getJWTCookieName(this.config), token, {
+                maxAge: this.config.auth.session.cookie.maxAge,
+                httpOnly: this.config.auth.session.cookie.httpOnly,
+                sameSite: this.config.auth.session.cookie.sameSite,
+                secure: this.config.auth.session.cookie.secure,
             });
 
             reportJWTCookieIssued();

components/server/src/config.ts

@@ -55,7 +55,7 @@ export type Config = Omit<
         session: {
             lifetimeSeconds: number;
             issuer: string;
-            cookieName: string;
+            cookie: CookieConfig;
         };
     };
 };
@@ -259,11 +259,19 @@ export interface ConfigSerialized {
         session: {
             lifetimeSeconds: number;
             issuer: string;
-            cookieName: string;
+            cookie: CookieConfig;
         };
     };
 }
 
+export interface CookieConfig {
+    name: string;
+    maxAge: number;
+    sameSite: boolean | "lax" | "strict" | "none";
+    secure: boolean;
+    httpOnly: boolean;
+}
+
 export interface AuthPKIConfig {
     signing: KeyPair;
     validating?: KeyPair[];

components/server/src/session-handler.ts

@@ -66,7 +66,7 @@ export class SessionHandlerProvider {
     }
 
     static getJWTCookieName(config: Config) {
-        return config.auth.session.cookieName;
+        return config.auth.session.cookie.name;
     }
 
     public clearSessionCookie(res: express.Response, config: Config): void {

install/installer/pkg/components/auth/config.go

@@ -22,19 +22,34 @@ type Config struct {
 
 type SessionConfig struct {
 	// How long shoud the session be valid for?
-	LifetimeSeconds int64  `json:"lifetimeSeconds"`
-	Issuer          string `json:"issuer"`
-	CookieName      string `json:"cookieName"`
+	LifetimeSeconds int64        `json:"lifetimeSeconds"`
+	Issuer          string       `json:"issuer"`
+	Cookie          CookieConfig `json:"cookie"`
+}
+
+type CookieConfig struct {
+	Name     string `json:"name"`
+	MaxAge   int64  `json:"maxAge"`
+	SameSite string `json:"sameSite"`
+	Secure   bool   `json:"secure"`
+	HTTPOnly bool   `json:"httpOnly"`
 }
 
 func GetConfig(ctx *common.RenderContext) ([]corev1.Volume, []corev1.VolumeMount, Config) {
 	volumes, mounts, pki := getPKI()
+	lifetime := int64((7 * 24 * time.Hour).Seconds())
 	return volumes, mounts, Config{
 		PKI: pki,
 		Session: SessionConfig{
-			LifetimeSeconds: int64((7 * 24 * time.Hour).Seconds()),
+			LifetimeSeconds: lifetime,
 			Issuer:          fmt.Sprintf("https://%s", ctx.Config.Domain),
-			CookieName:      cookieNameFromDomain(ctx.Config.Domain),
+			Cookie: CookieConfig{
+				Name:     cookieNameFromDomain(ctx.Config.Domain),
+				MaxAge:   lifetime,
+				SameSite: "lax",
+				Secure:   true,
+				HTTPOnly: true,
+			},
 		},
 	}
 }

install/installer/pkg/components/public-api-server/configmap.go

@@ -74,7 +74,13 @@ func configmap(ctx *common.RenderContext) ([]runtime.Object, error) {
 			Session: config.SessionConfig{
 				LifetimeSeconds: authCfg.Session.LifetimeSeconds,
 				Issuer:          authCfg.Session.Issuer,
-				CookieName:      authCfg.Session.CookieName,
+				Cookie: config.CookieConfig{
+					Name:     authCfg.Session.Cookie.Name,
+					MaxAge:   authCfg.Session.Cookie.MaxAge,
+					SameSite: authCfg.Session.Cookie.SameSite,
+					Secure:   authCfg.Session.Cookie.Secure,
+					HTTPOnly: authCfg.Session.Cookie.HTTPOnly,
+				},
 			},
 		},
 		Server: &baseserver.Configuration{

install/installer/pkg/components/public-api-server/configmap_test.go

@@ -69,7 +69,13 @@ func TestConfigMap(t *testing.T) {
 			Session: config.SessionConfig{
 				LifetimeSeconds: int64((24 * 7 * time.Hour).Seconds()),
 				Issuer:          "https://test.domain.everything.awesome.is",
-				CookieName:      "_test_domain_everything_awesome_is_jwt_",
+				Cookie: config.CookieConfig{
+					Name:     "_test_domain_everything_awesome_is_jwt_",
+					MaxAge:   int64((24 * 7 * time.Hour).Seconds()),
+					SameSite: "lax",
+					Secure:   true,
+					HTTPOnly: true,
+				},
 			},
 		},
 		Server: &baseserver.Configuration{

install/installer/pkg/components/server/configmap_test.go

@@ -66,7 +66,13 @@ func TestConfigMap(t *testing.T) {
 			Session: auth.SessionConfig{
 				LifetimeSeconds: int64((7 * 24 * time.Hour).Seconds()),
 				Issuer:          "https://awesome.domain",
-				CookieName:      "_awesome_domain_jwt_",
+				Cookie: auth.CookieConfig{
+					Name:     "_awesome_domain_jwt_",
+					MaxAge:   int64((7 * 24 * time.Hour).Seconds()),
+					SameSite: "lax",
+					Secure:   true,
+					HTTPOnly: true,
+				},
 			},
 		},
 	}