#69 #72 Make auth cookie secure with custom expiry

alexbrazier · Apr 6, 2020 · b3ee91d · b3ee91d
1 parent 143c0f3
commit b3ee91d
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -97,6 +97,8 @@ POSTGRES_PASS=password HOSTS=localhost APP_URI=http://localhost:3000 go run serv
 | `SLACK_SIGNING_SECRET`      |          |                | xxxxxxxxxxx                  | Slack signing secret to enable Slack `/go` command                                                     |
 | `SLACK_TEAM_ID`             |          |                | Txxxxxxxx                    | Slack team id to restrict slash command responses to single team                                       |
 | `ENABLE_AUTH`               |          | false          |                              | Enable Azure auth or not - if enabled, all other fields must be filled in                              |
+| `AUTH_EXPIRY_SECONDS`       |          | 2592000        |                              | Auth cookie expiry (default 30 days)                                                                   |
+| `SECURE_COOKIES`            |          | true           |                              | Use secure https only cookies                                                                          |
 | `AD_TENANT_ID`              |          |                |                              | Azure AD tenant ID                                                                                     |
 | `AD_CLIENT_ID`              |          |                |                              | Azure AD client ID                                                                                     |
 | `AD_CLIENT_SECRET`          |          |                |                              | Azure AD client secret                                                                                 |

diff --git a/api/config/config.go b/api/config/config.go
@@ -12,6 +12,8 @@ type Specification struct {
 	JSONLogs               bool     `envconfig:"JSON_LOGS"`
 	Port                   int      `default:"1323"`
 	EnableAuth             bool     `envconfig:"ENABLE_AUTH"`
+	AuthExpirySeconds      int      `envconfig:"AUTH_EXPIRY_SECONDS" default:"2592000"`
+	SecureCookies          bool     `envconfig:"SECURE_COOKIES" default:"true"`
 	ADTenantID             string   `envconfig:"AD_TENANT_ID"`
 	ADClientID             string   `envconfig:"AD_CLIENT_ID"`
 	ADClientSecret         string   `envconfig:"AD_CLIENT_SECRET"`
@@ -42,6 +44,8 @@ type Auth struct {
 	AllowedIPs             []string
 	AllowForwardedFor      bool
 	ForwardedForTrustLevel int
+	MaxAge                 int
+	SecureCookies          bool
 }
 
 // Database config
@@ -100,6 +104,8 @@ func Init() {
 		AllowedIPs:             spec.AllowedIPs,
 		AllowForwardedFor:      spec.AllowForwardedFor,
 		ForwardedForTrustLevel: spec.ForwardedForTrustLevel,
+		MaxAge:                 spec.AuthExpirySeconds,
+		SecureCookies:          spec.SecureCookies,
 	}
 	config.Database = Database{
 		Addr:     spec.PostgresAddr,

diff --git a/api/handler/auth.go b/api/handler/auth.go
@@ -65,10 +65,20 @@ func (h *Handler) AuthInit(e *echo.Echo) {
 	// Create file system store with no size limit
 	fsStore := sessions.NewFilesystemStore("", sessionStoreKeyPairs...)
 	fsStore.MaxLength(0)
+
+	fsStore.Options = &sessions.Options{
+		Path:     "/",
+		MaxAge:   appConfig.Auth.MaxAge,
+		HttpOnly: true,
+		Secure:   appConfig.Auth.SecureCookies,
+		SameSite: http.SameSiteStrictMode,
+	}
+
 	store = fsStore
 
 	gob.Register(&User{})
 	gob.Register(&oauth2.Token{})
+
 	e.GET("/callback", h.callbackHandler)
 }