- adding the ability to override the cookie domain used for the acces…

…s and refresh token (#113)
louketo · Jul 13, 2016 · 88e5547 · 88e5547
1 parent 8550bc7
commit 88e5547
Show file tree

Hide file tree

Showing 5 changed files with 29 additions and 7 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,7 @@
 
 FEATURES:
  * Added a prometheus metrics endpoint, at present a break down by status_code is provided
+ * Added the ability to override the cookie domain from the default host header
 
 CHANGES:
  * Updated the godeps for codegangsta cli to it's renamed version

diff --git a/config.go b/config.go
@@ -202,6 +202,9 @@ func readOptions(cx *cli.Context, config *Config) (err error) {
 	if cx.IsSet("cookie-refresh-name") {
 		config.CookieRefreshName = cx.String("cookie-refresh-name")
 	}
+	if cx.IsSet("cookie-domain") {
+		config.CookieDomain = cx.String("cookie-domain")
+	}
 	if cx.IsSet("add-claims") {
 		config.AddClaims = append(config.AddClaims, cx.StringSlice("add-claims")...)
 	}
@@ -425,6 +428,10 @@ func getOptions() []cli.Flag {
 			Name:  "secure-cookie",
 			Usage: "enforces the cookie to be secure, default to true",
 		},
+		cli.StringSliceFlag{
+			Name:  "cookie-domain",
+			Usage: "a domain the access cookie is available to, defaults host header",
+		},
 		cli.StringFlag{
 			Name:  "cookie-access-name",
 			Usage: "the name of the cookie use to hold the access token",

diff --git a/cookies.go b/cookies.go
@@ -26,10 +26,15 @@ import (
 //
 // dropCookie drops a cookie into the response
 //
-func (r oauthProxy) dropCookie(cx *gin.Context, name, value string, duration time.Duration) {
+func (r *oauthProxy) dropCookie(cx *gin.Context, name, value string, duration time.Duration) {
+	// step: default to the host header, else the config domain
+	domain := strings.Split(cx.Request.Host, ":")[0]
+	if r.config.CookieDomain != "" {
+		domain = r.config.CookieDomain
+	}
 	cookie := &http.Cookie{
 		Name:   name,
-		Domain: strings.Split(cx.Request.Host, ":")[0],
+		Domain: domain,
 		Path:   "/",
 		Secure: r.config.SecureCookie,
 		Value:  value,
@@ -44,35 +49,35 @@ func (r oauthProxy) dropCookie(cx *gin.Context, name, value string, duration tim
 //
 // dropAccessTokenCookie drops a access token cookie into the response
 //
-func (r oauthProxy) dropAccessTokenCookie(cx *gin.Context, value string, duration time.Duration) {
+func (r *oauthProxy) dropAccessTokenCookie(cx *gin.Context, value string, duration time.Duration) {
 	r.dropCookie(cx, r.config.CookieAccessName, value, duration)
 }
 
 //
 // dropRefreshTokenCookie drops a refresh token cookie into the response
 //
-func (r oauthProxy) dropRefreshTokenCookie(cx *gin.Context, value string, duration time.Duration) {
+func (r *oauthProxy) dropRefreshTokenCookie(cx *gin.Context, value string, duration time.Duration) {
 	r.dropCookie(cx, r.config.CookieRefreshName, value, duration)
 }
 
 //
 // clearAllCookies is just a helper function for the below
 //
-func (r oauthProxy) clearAllCookies(cx *gin.Context) {
+func (r *oauthProxy) clearAllCookies(cx *gin.Context) {
 	r.clearAccessTokenCookie(cx)
 	r.clearRefreshTokenCookie(cx)
 }
 
 //
 // clearRefreshSessionCookie clears the session cookie
 //
-func (r oauthProxy) clearRefreshTokenCookie(cx *gin.Context) {
+func (r *oauthProxy) clearRefreshTokenCookie(cx *gin.Context) {
 	r.dropCookie(cx, r.config.CookieRefreshName, "", time.Duration(-10*time.Hour))
 }
 
 //
 // clearAccessTokenCookie clears the session cookie
 //
-func (r oauthProxy) clearAccessTokenCookie(cx *gin.Context) {
+func (r *oauthProxy) clearAccessTokenCookie(cx *gin.Context) {
 	r.dropCookie(cx, r.config.CookieAccessName, "", time.Duration(-10*time.Hour))
 }
diff --git a/cookies_test.go b/cookies_test.go
@@ -45,6 +45,13 @@ func TestDropCookie(t *testing.T) {
 	assert.NotEqual(t, context.Writer.Header().Get("Set-Cookie"),
 		"test-cookie=test-value; Path=/; Domain=127.0.0.2; HttpOnly; Secure",
 		"we have not set the cookie, headers: %v", context.Writer.Header())
+
+	p.config.CookieDomain = "test.com"
+	p.dropCookie(context, "test-cookie", "test-value", 0)
+	p.config.SecureCookie = false
+	assert.NotEqual(t, context.Writer.Header().Get("Set-Cookie"),
+		"test-cookie=test-value; Path=/; Domain=test.com;",
+		"we have not set the cookie, headers: %v", context.Writer.Header())
 }
 
 func TestClearAccessTokenCookie(t *testing.T) {

diff --git a/doc.go b/doc.go
@@ -125,6 +125,8 @@ type Config struct {
 	// EnableURIMetrics indicates we want to keep metrics on uri request times
 	EnableURIMetrics bool `json:"enable-uri-metrics" yaml:"enable-uri-metrics"`
 
+	// CookieDomain is a list of domains the cookie is available to
+	CookieDomain string `json:"cookie-domain" yaml:"cookie-domain"`
 	// CookieAccessName is the name of the access cookie holding the access token
 	CookieAccessName string `json:"cookie-access-name" yaml:"cookie-access-name"`
 	// CookieRefreshName is the name of the refresh cookie