Set a default SameSite policy of 'none'

But make it configurable through a public SameSite field on the sso Handler object.

Set a default SameSite policy of 'none'
ac415a80 · ale · dd49fe4a · ac415a80
Commit ac415a80 authored 2 years ago by ale
--- a/httpsso/handler.go
+++ b/httpsso/handler.go
@@ -78,6 +78,7 @@ type SSOWrapper struct {
 	serverOrigin string

 	EnableCORS bool
+	SameSite   http.SameSite
 }

 // NewSSOWrapper returns a new SSOWrapper that will authenticate users
@@ -99,6 +100,7 @@ func NewSSOWrapper(serverURL string, pkey []byte, domain string, sessionAuthKey,
 		serverURL:    serverURL,
 		serverOrigin: originFromURL(serverURL),
 		EnableCORS:   true,
+		SameSite:     http.SameSiteNoneMode,
 	}, nil
 }

@@ -146,6 +148,7 @@ func (s *SSOWrapper) handleLogin(w http.ResponseWriter, req *http.Request, servi
 	nonce := cookie.Value
 	cookie.MaxAge = -1
 	cookie.Value = ""
+	cookie.SameSite = s.SameSite
 	http.SetCookie(w, cookie)

 	tkt, err := s.v.Validate(t, nonce, service, groups)
@@ -173,6 +176,7 @@ func (s *SSOWrapper) handleLogin(w http.ResponseWriter, req *http.Request, servi
 		Path:     pathFromService(service),
 		Secure:   true,
 		HttpOnly: true,
+		SameSite: s.SameSite,
 	})

 	s.redirectWithCORS(w, req, d)
@@ -204,6 +208,7 @@ func (s *SSOWrapper) redirectToLogin(w http.ResponseWriter, req *http.Request, s
 		Path:     pathFromService(service) + "sso_login",
 		Secure:   true,
 		HttpOnly: true,
+		SameSite: s.SameSite,
 	})

 	v := make(url.Values)