feat: add explicit config flag for secure cookies (#4180)

Adds a new config flag for session and all other cookies. Falls back to the previous behavior of using the dev mode to decide if the cookie should be secure or not.
ory · Oct 29, 2024 · 2aabe12 · 2aabe12
1 parent a3fa760
commit 2aabe12
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 3 deletions.
diff --git a/driver/config/config.go b/driver/config/config.go
@@ -110,6 +110,7 @@ const (
 	ViperKeyAdminTLSKeyPath                                  = "serve.admin.tls.key.path"
 	ViperKeySessionLifespan                                  = "session.lifespan"
 	ViperKeySessionSameSite                                  = "session.cookie.same_site"
+	ViperKeySessionSecure                                    = "session.cookie.secure"
 	ViperKeySessionDomain                                    = "session.cookie.domain"
 	ViperKeySessionName                                      = "session.cookie.name"
 	ViperKeySessionPath                                      = "session.cookie.path"
@@ -124,6 +125,7 @@ const (
 	ViperKeyCookieSameSite                                   = "cookies.same_site"
 	ViperKeyCookieDomain                                     = "cookies.domain"
 	ViperKeyCookiePath                                       = "cookies.path"
+	ViperKeyCookieSecure                                     = "cookies.secure"
 	ViperKeySelfServiceStrategyConfig                        = "selfservice.methods"
 	ViperKeySelfServiceBrowserDefaultReturnTo                = "selfservice." + DefaultBrowserReturnURL
 	ViperKeyURLsAllowedReturnToDomains                       = "selfservice.allowed_return_urls"
@@ -1384,6 +1386,13 @@ func (p *Config) SessionDomain(ctx context.Context) string {
 	return p.GetProvider(ctx).String(ViperKeySessionDomain)
 }
 
+func (p *Config) SessionCookieSecure(ctx context.Context) bool {
+	if !p.GetProvider(ctx).Exists(ViperKeySessionSecure) {
+		return !p.IsInsecureDevMode(ctx)
+	}
+	return p.GetProvider(ctx).Bool(ViperKeySessionSecure)
+}
+
 func (p *Config) CookieDomain(ctx context.Context) string {
 	return p.GetProvider(ctx).String(ViperKeyCookieDomain)
 }
@@ -1439,6 +1448,13 @@ func (p *Config) CookiePath(ctx context.Context) string {
 	return p.GetProvider(ctx).String(ViperKeyCookiePath)
 }
 
+func (p *Config) CookieSecure(ctx context.Context) bool {
+	if !p.GetProvider(ctx).Exists(ViperKeyCookieSecure) {
+		return !p.IsInsecureDevMode(ctx)
+	}
+	return p.GetProvider(ctx).Bool(ViperKeyCookieSecure)
+}
+
 func (p *Config) SelfServiceFlowLoginReturnTo(ctx context.Context, strategy string) *url.URL {
 	return p.selfServiceReturnTo(ctx, ViperKeySelfServiceLoginAfter, strategy)
 }

diff --git a/driver/registry_default.go b/driver/registry_default.go
@@ -527,7 +527,7 @@ func (m *RegistryDefault) CookieManager(ctx context.Context) sessions.StoreExact
 	}
 
 	cs := sessions.NewCookieStore(keys...)
-	cs.Options.Secure = !m.Config().IsInsecureDevMode(ctx)
+	cs.Options.Secure = m.Config().SessionCookieSecure(ctx)
 	cs.Options.HttpOnly = true
 
 	if domain := m.Config().SessionDomain(ctx); domain != "" {
@@ -553,7 +553,7 @@ func (m *RegistryDefault) CookieManager(ctx context.Context) sessions.StoreExact
 func (m *RegistryDefault) ContinuityCookieManager(ctx context.Context) sessions.StoreExact {
 	// To support hot reloading, this can not be instantiated only once.
 	cs := sessions.NewCookieStore(m.Config().SecretsSession(ctx)...)
-	cs.Options.Secure = !m.Config().IsInsecureDevMode(ctx)
+	cs.Options.Secure = m.Config().CookieSecure(ctx)
 	cs.Options.HttpOnly = true
 	cs.Options.SameSite = http.SameSiteLaxMode
 	return cs

diff --git a/embedx/config.schema.json b/embedx/config.schema.json
@@ -2785,6 +2785,11 @@
           "type": "string",
           "default": "/"
         },
+        "secure": {
+          "title": "Session Cookie Secure Flag",
+          "description": "Sets the session secure flag. If unset, defaults to !dev mode.",
+          "type": "string"
+        },
         "same_site": {
           "title": "HTTP Cookie Same Site Configuration",
           "description": "Sets the session and CSRF cookie SameSite.",
@@ -2879,6 +2884,11 @@
               "description": "Sets the session cookie path. Use with care! Overrides `cookies.path`.",
               "type": "string"
             },
+            "secure": {
+              "title": "Session Cookie Secure Flag",
+              "description": "Sets the session secure flag. If unset, defaults to !dev mode.",
+              "type": "string"
+            },
             "same_site": {
               "title": "Session Cookie SameSite Configuration",
               "description": "Sets the session cookie SameSite. Overrides `cookies.same_site`.",

diff --git a/x/nosurf.go b/x/nosurf.go
@@ -138,7 +138,7 @@ func NosurfBaseCookieHandler(reg interface {
 	config.Provider
 }) func(w http.ResponseWriter, r *http.Request) http.Cookie {
 	return func(w http.ResponseWriter, r *http.Request) http.Cookie {
-		secure := !reg.Config().IsInsecureDevMode(r.Context())
+		secure := reg.Config().CookieSecure(r.Context())
 
 		sameSite := reg.Config().CookieSameSiteMode(r.Context())
 		if !secure {