From ac415a8083b65eba166b2d75f0b5c988a346df39 Mon Sep 17 00:00:00 2001
From: ale <ale@incal.net>
Date: Mon, 12 Dec 2022 13:29:31 +0000
Subject: [PATCH] Set a default SameSite policy of 'none'

But make it configurable through a public SameSite field on the sso
Handler object.
---
 httpsso/handler.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/httpsso/handler.go b/httpsso/handler.go
index e90b6a0..4284821 100644
--- a/httpsso/handler.go
+++ b/httpsso/handler.go
@@ -78,6 +78,7 @@ type SSOWrapper struct {
 	serverOrigin string
 
 	EnableCORS bool
+	SameSite   http.SameSite
 }
 
 // NewSSOWrapper returns a new SSOWrapper that will authenticate users
@@ -99,6 +100,7 @@ func NewSSOWrapper(serverURL string, pkey []byte, domain string, sessionAuthKey,
 		serverURL:    serverURL,
 		serverOrigin: originFromURL(serverURL),
 		EnableCORS:   true,
+		SameSite:     http.SameSiteNoneMode,
 	}, nil
 }
 
@@ -146,6 +148,7 @@ func (s *SSOWrapper) handleLogin(w http.ResponseWriter, req *http.Request, servi
 	nonce := cookie.Value
 	cookie.MaxAge = -1
 	cookie.Value = ""
+	cookie.SameSite = s.SameSite
 	http.SetCookie(w, cookie)
 
 	tkt, err := s.v.Validate(t, nonce, service, groups)
@@ -173,6 +176,7 @@ func (s *SSOWrapper) handleLogin(w http.ResponseWriter, req *http.Request, servi
 		Path:     pathFromService(service),
 		Secure:   true,
 		HttpOnly: true,
+		SameSite: s.SameSite,
 	})
 
 	s.redirectWithCORS(w, req, d)
@@ -204,6 +208,7 @@ func (s *SSOWrapper) redirectToLogin(w http.ResponseWriter, req *http.Request, s
 		Path:     pathFromService(service) + "sso_login",
 		Secure:   true,
 		HttpOnly: true,
+		SameSite: s.SameSite,
 	})
 
 	v := make(url.Values)
-- 
GitLab