Fix issue with SameSite in session config being a http.SameSiteMode

Signed-off-by: Andrew Thornton <[email protected]>

Author: zeripath

modules/auth/sso/sso.go

@@ -135,7 +135,7 @@ func handleSignIn(resp http.ResponseWriter, req *http.Request, sess SessionStore
 		setting.SessionConfig.Domain,
 		setting.SessionConfig.Secure,
 		true,
-		middleware.SameSiteString(setting.SessionConfig.SameSite))
+		middleware.SameSite(setting.SessionConfig.SameSite))
 
 	// Clear whatever CSRF has right now, force to generate a new one
 	middleware.SetCookie(resp, setting.CSRFCookieName, "",
@@ -144,5 +144,5 @@ func handleSignIn(resp http.ResponseWriter, req *http.Request, sess SessionStore
 		setting.SessionConfig.Domain,
 		setting.SessionConfig.Secure,
 		true,
-		middleware.SameSiteString(setting.SessionConfig.SameSite))
+		middleware.SameSite(setting.SessionConfig.SameSite))
 }

modules/context/auth.go

@@ -6,6 +6,8 @@
 package context
 
 import (
+	"net/http"
+
 	"code.gitea.io/gitea/models"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
@@ -45,7 +47,7 @@ func Toggle(options *ToggleOptions) func(ctx *Context) {
 						ctx.SetCookie("redirect_to", setting.AppSubURL+ctx.Req.URL.RequestURI(),
 							0,
 							setting.AppSubURL,
-							middleware.SameSiteString("lax")) // TODO: I think this is correct!
+							middleware.SameSite(http.SameSiteLaxMode)) // TODO: I think this is correct!
 					}
 					ctx.Redirect(setting.AppSubURL + "/user/settings/change_password")
 					return
@@ -76,7 +78,7 @@ func Toggle(options *ToggleOptions) func(ctx *Context) {
 					ctx.SetCookie("redirect_to", setting.AppSubURL+ctx.Req.URL.RequestURI(),
 						0,
 						setting.AppSubURL,
-						middleware.SameSiteString("lax")) // TODO: I think this is correct!
+						middleware.SameSite(http.SameSiteLaxMode)) // TODO: I think this is correct!
 				}
 				ctx.Redirect(setting.AppSubURL + "/user/login")
 				return
@@ -94,7 +96,7 @@ func Toggle(options *ToggleOptions) func(ctx *Context) {
 				ctx.SetCookie("redirect_to", setting.AppSubURL+ctx.Req.URL.RequestURI(),
 					0,
 					setting.AppSubURL,
-					middleware.SameSiteString("lax")) // TODO: I think this is correct!
+					middleware.SameSite(http.SameSiteLaxMode)) // TODO: I think this is correct!
 			}
 			ctx.Redirect(setting.AppSubURL + "/user/login")
 			return

modules/context/context.go

@@ -524,14 +524,6 @@ func SignedUserName(req *http.Request) string {
 }
 
 func getCsrfOpts() CsrfOptions {
-	sameSite := http.SameSiteStrictMode
-	switch strings.ToLower(setting.SessionConfig.SameSite) {
-	case "none":
-		sameSite = http.SameSiteNoneMode
-	case "lax":
-		sameSite = http.SameSiteLaxMode
-	}
-
 	return CsrfOptions{
 		Secret:         setting.SecretKey,
 		Cookie:         setting.CSRFCookieName,
@@ -541,7 +533,7 @@ func getCsrfOpts() CsrfOptions {
 		Header:         "X-Csrf-Token",
 		CookieDomain:   setting.SessionConfig.Domain,
 		CookiePath:     setting.SessionConfig.CookiePath,
-		SameSite:       sameSite,
+		SameSite:       setting.SessionConfig.SameSite,
 	}
 }
 
@@ -606,7 +598,7 @@ func Contexter() func(next http.Handler) http.Handler {
 						middleware.Domain(setting.SessionConfig.Domain),
 						middleware.HTTPOnly(true),
 						middleware.Secure(setting.SessionConfig.Secure),
-						middleware.SameSiteString(setting.SessionConfig.SameSite),
+						middleware.SameSite(setting.SessionConfig.SameSite),
 					)
 					return
 				}
@@ -616,7 +608,7 @@ func Contexter() func(next http.Handler) http.Handler {
 					middleware.Domain(setting.SessionConfig.Domain),
 					middleware.HTTPOnly(true),
 					middleware.Secure(setting.SessionConfig.Secure),
-					middleware.SameSiteString(setting.SessionConfig.SameSite),
+					middleware.SameSite(setting.SessionConfig.SameSite),
 				)
 			})
 

modules/setting/session.go

@@ -5,6 +5,7 @@
 package setting
 
 import (
+	"net/http"
 	"path"
 	"path/filepath"
 	"strings"
@@ -32,12 +33,12 @@ var (
 		// Cookie domain name. Default is empty.
 		Domain string
 		// SameSite declares if your cookie should be restricted to a first-party or same-site context. Valid strings are "none", "lax", "strict". Default is "strict"
-		SameSite string
+		SameSite http.SameSite
 	}{
 		CookieName:  "i_like_gitea",
 		Gclifetime:  86400,
 		Maxlifetime: 86400,
-		SameSite:    "strict",
+		SameSite:    http.SameSiteStrictMode,
 	}
 )
 
@@ -55,7 +56,15 @@ func newSessionService() {
 	SessionConfig.Gclifetime = sec.Key("GC_INTERVAL_TIME").MustInt64(86400)
 	SessionConfig.Maxlifetime = sec.Key("SESSION_LIFE_TIME").MustInt64(86400)
 	SessionConfig.Domain = sec.Key("DOMAIN").String()
-	SessionConfig.SameSite = sec.Key("SAME_SITE").In("strict", []string{"none", "lax", "strict"})
+	samesiteString := sec.Key("SAME_SITE").In("strict", []string{"none", "lax", "strict"})
+	switch strings.ToLower(samesiteString) {
+	case "none":
+		SessionConfig.SameSite = http.SameSiteNoneMode
+	case "lax":
+		SessionConfig.SameSite = http.SameSiteLaxMode
+	default:
+		SessionConfig.SameSite = http.SameSiteStrictMode
+	}
 
 	json := jsoniter.ConfigCompatibleWithStandardLibrary
 	shadowConfig, err := json.Marshal(SessionConfig)

modules/web/middleware/cookie.go

@@ -8,7 +8,6 @@ package middleware
 import (
 	"net/http"
 	"net/url"
-	"strings"
 	"time"
 
 	"code.gitea.io/gitea/modules/setting"
@@ -64,20 +63,6 @@ func SameSite(sameSite http.SameSite) func(*http.Cookie) {
 	}
 }
 
-// SameSiteString sets the SameSite for a provided cookie
-func SameSiteString(sameSite string) func(*http.Cookie) {
-	return func(c *http.Cookie) {
-		switch strings.ToLower(sameSite) {
-		case "none":
-			c.SameSite = http.SameSiteNoneMode
-		case "lax":
-			c.SameSite = http.SameSiteLaxMode
-		default:
-			c.SameSite = http.SameSiteStrictMode
-		}
-	}
-}
-
 // NewCookie creates a cookie
 func NewCookie(name, value string, maxAge int) *http.Cookie {
 	return &http.Cookie{

modules/web/middleware/locale.go

@@ -49,7 +49,7 @@ func Locale(resp http.ResponseWriter, req *http.Request) translation.Locale {
 			setting.SessionConfig.Domain,
 			setting.SessionConfig.Secure,
 			true,
-			SameSiteString(setting.SessionConfig.SameSite))
+			SameSite(setting.SessionConfig.SameSite))
 	}
 
 	return translation.NewLocale(lang)

routers/user/auth.go

@@ -65,8 +65,8 @@ func AutoSignIn(ctx *context.Context) (bool, error) {
 	defer func() {
 		if !isSucceed {
 			log.Trace("auto-login cookie cleared: %s", uname)
-			ctx.SetCookie(setting.CookieUserName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true, middleware.SameSiteString(setting.SessionConfig.SameSite))
-			ctx.SetCookie(setting.CookieRememberName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true, middleware.SameSiteString(setting.SessionConfig.SameSite))
+			ctx.SetCookie(setting.CookieUserName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true, middleware.SameSite(setting.SessionConfig.SameSite))
+			ctx.SetCookie(setting.CookieRememberName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true, middleware.SameSite(setting.SessionConfig.SameSite))
 		}
 	}()
 
@@ -96,7 +96,7 @@ func AutoSignIn(ctx *context.Context) (bool, error) {
 		return false, err
 	}
 
-	ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true, middleware.SameSiteString(setting.SessionConfig.SameSite))
+	ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true, middleware.SameSite(setting.SessionConfig.SameSite))
 	return true, nil
 }
 
@@ -110,13 +110,13 @@ func checkAutoLogin(ctx *context.Context) bool {
 
 	redirectTo := ctx.Query("redirect_to")
 	if len(redirectTo) > 0 {
-		ctx.SetCookie("redirect_to", redirectTo, 0, setting.AppSubURL, "", setting.SessionConfig.Secure, true, middleware.SameSiteString(setting.SessionConfig.SameSite))
+		ctx.SetCookie("redirect_to", redirectTo, 0, setting.AppSubURL, "", setting.SessionConfig.Secure, true, middleware.SameSite(setting.SessionConfig.SameSite))
 	} else {
 		redirectTo = ctx.GetCookie("redirect_to")
 	}
 
 	if isSucceed {
-		ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true, middleware.SameSiteString(setting.SessionConfig.SameSite))
+		ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true, middleware.SameSite(setting.SessionConfig.SameSite))
 		ctx.RedirectToFirst(redirectTo, setting.AppSubURL+string(setting.LandingPageURL))
 		return true
 	}
@@ -498,9 +498,9 @@ func handleSignIn(ctx *context.Context, u *models.User, remember bool) {
 func handleSignInFull(ctx *context.Context, u *models.User, remember bool, obeyRedirect bool) string {
 	if remember {
 		days := 86400 * setting.LogInRememberDays
-		ctx.SetCookie(setting.CookieUserName, u.Name, days, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true, middleware.SameSiteString(setting.SessionConfig.SameSite))
+		ctx.SetCookie(setting.CookieUserName, u.Name, days, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true, middleware.SameSite(setting.SessionConfig.SameSite))
 		ctx.SetSuperSecureCookie(base.EncodeMD5(u.Rands+u.Passwd),
-			setting.CookieRememberName, u.Name, days, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true, middleware.SameSiteString(setting.SessionConfig.SameSite))
+			setting.CookieRememberName, u.Name, days, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true, middleware.SameSite(setting.SessionConfig.SameSite))
 	}
 
 	_ = ctx.Session.Delete("openid_verified_uri")
@@ -531,10 +531,10 @@ func handleSignInFull(ctx *context.Context, u *models.User, remember bool, obeyR
 		}
 	}
 
-	ctx.SetCookie("lang", u.Language, nil, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true, middleware.SameSiteString(setting.SessionConfig.SameSite))
+	ctx.SetCookie("lang", u.Language, nil, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true, middleware.SameSite(setting.SessionConfig.SameSite))
 
 	// Clear whatever CSRF has right now, force to generate a new one
-	ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true, middleware.SameSiteString(setting.SessionConfig.SameSite))
+	ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true, middleware.SameSite(setting.SessionConfig.SameSite))
 
 	// Register last login
 	u.SetLastLogin()
@@ -544,7 +544,7 @@ func handleSignInFull(ctx *context.Context, u *models.User, remember bool, obeyR
 	}
 
 	if redirectTo := ctx.GetCookie("redirect_to"); len(redirectTo) > 0 && !utils.IsExternalURL(redirectTo) {
-		ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true, middleware.SameSiteString(setting.SessionConfig.SameSite))
+		ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true, middleware.SameSite(setting.SessionConfig.SameSite))
 		if obeyRedirect {
 			ctx.RedirectToFirst(redirectTo)
 		}
@@ -650,7 +650,7 @@ func handleOAuth2SignIn(u *models.User, gothUser goth.User, ctx *context.Context
 		}
 
 		// Clear whatever CSRF has right now, force to generate a new one
-		ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true, middleware.SameSiteString(setting.SessionConfig.SameSite))
+		ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true, middleware.SameSite(setting.SessionConfig.SameSite))
 
 		// Register last login
 		u.SetLastLogin()
@@ -665,7 +665,7 @@ func handleOAuth2SignIn(u *models.User, gothUser goth.User, ctx *context.Context
 		}
 
 		if redirectTo := ctx.GetCookie("redirect_to"); len(redirectTo) > 0 {
-			ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true, middleware.SameSiteString(setting.SessionConfig.SameSite))
+			ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true, middleware.SameSite(setting.SessionConfig.SameSite))
 			ctx.RedirectToFirst(redirectTo)
 			return
 		}
@@ -1043,11 +1043,11 @@ func LinkAccountPostRegister(ctx *context.Context) {
 func HandleSignOut(ctx *context.Context) {
 	_ = ctx.Session.Flush()
 	_ = ctx.Session.Destroy(ctx.Resp, ctx.Req)
-	ctx.SetCookie(setting.CookieUserName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true, middleware.SameSiteString(setting.SessionConfig.SameSite))
-	ctx.SetCookie(setting.CookieRememberName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true, middleware.SameSiteString(setting.SessionConfig.SameSite))
-	ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true, middleware.SameSiteString(setting.SessionConfig.SameSite))
-	ctx.SetCookie("lang", "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true, middleware.SameSiteString(setting.SessionConfig.SameSite)) // Setting the lang cookie will trigger the middleware to reset the language ot previous state.
-	ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL)                                                                                                                       // logout default should set redirect to to default
+	ctx.SetCookie(setting.CookieUserName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true, middleware.SameSite(setting.SessionConfig.SameSite))
+	ctx.SetCookie(setting.CookieRememberName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true, middleware.SameSite(setting.SessionConfig.SameSite))
+	ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true, middleware.SameSite(setting.SessionConfig.SameSite))
+	ctx.SetCookie("lang", "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true, middleware.SameSite(setting.SessionConfig.SameSite)) // Setting the lang cookie will trigger the middleware to reset the language ot previous state.
+	ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL)                                                                                                                 // logout default should set redirect to to default
 }
 
 // SignOut sign out from login status

routers/user/auth_openid.go

@@ -48,13 +48,13 @@ func SignInOpenID(ctx *context.Context) {
 
 	redirectTo := ctx.Query("redirect_to")
 	if len(redirectTo) > 0 {
-		ctx.SetCookie("redirect_to", redirectTo, 0, setting.AppSubURL, "", setting.SessionConfig.Secure, true, middleware.SameSiteString(setting.SessionConfig.SameSite))
+		ctx.SetCookie("redirect_to", redirectTo, 0, setting.AppSubURL, "", setting.SessionConfig.Secure, true, middleware.SameSite(setting.SessionConfig.SameSite))
 	} else {
 		redirectTo = ctx.GetCookie("redirect_to")
 	}
 
 	if isSucceed {
-		ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true, middleware.SameSiteString(setting.SessionConfig.SameSite))
+		ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true, middleware.SameSite(setting.SessionConfig.SameSite))
 		ctx.RedirectToFirst(redirectTo)
 		return
 	}

routers/user/setting/profile.go

@@ -117,7 +117,7 @@ func ProfilePost(ctx *context.Context) {
 	}
 
 	// Update the language to the one we just set
-	ctx.SetCookie("lang", ctx.User.Language, nil, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true, middleware.SameSiteString(setting.SessionConfig.SameSite))
+	ctx.SetCookie("lang", ctx.User.Language, nil, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true, middleware.SameSite(setting.SessionConfig.SameSite))
 
 	log.Trace("User settings updated: %s", ctx.User.Name)
 	ctx.Flash.Success(i18n.Tr(ctx.User.Language, "settings.update_profile_success"))