From 5f00e7c304aeaa6d4522b882e94cc16be9921ef5 Mon Sep 17 00:00:00 2001
From: zachmann <gabriel.zachmann@kit.edu>
Date: Thu, 20 May 2021 08:25:20 +0200
Subject: [PATCH] set cookie secure if issuer uses https indepent of a
 potentail proxy

---
 internal/config/config.go                           | 9 +++++++++
 internal/endpoints/revocation/revocationEndpoint.go | 2 +-
 internal/oidc/authcode/authcode.go                  | 2 +-
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/internal/config/config.go b/internal/config/config.go
index cc8a38b4..8e54cac5 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -2,6 +2,7 @@ package config
 
 import (
 	"fmt"
+	"strings"
 
 	"github.com/coreos/go-oidc/v3/oidc"
 	log "github.com/sirupsen/logrus"
@@ -22,6 +23,7 @@ var defaultConfig = Config{
 			Enabled:      true, // The default is that TLS is enabled if cert and key are given, this is checked later; we must set true here, because otherwise we cannot distinct this from a false set by the user
 			RedirectHTTP: true,
 		},
+		Secure: true,
 	},
 	DB: DBConf{
 		Hosts:             []string{"localhost"},
@@ -158,6 +160,7 @@ type serverConf struct {
 	Hostname string  `yaml:"hostname"`
 	Port     int     `yaml:"port"`
 	TLS      tlsConf `yaml:"tls"`
+	Secure   bool    `yaml:"-"` // Secure indicates if the connection to the mytoken server is secure. This is independent of TLS, e.g. a Proxy can be used.
 }
 
 type tlsConf struct {
@@ -217,6 +220,12 @@ func validate() error {
 	if conf == nil {
 		return fmt.Errorf("config not set")
 	}
+	if conf.IssuerURL == "" {
+		return fmt.Errorf("invalid config:issuer_url not set")
+	}
+	if strings.HasPrefix(conf.IssuerURL, "http://") {
+		conf.Server.Secure = false
+	}
 	if conf.Server.Hostname == "" {
 		return fmt.Errorf("invalid config: server.hostname not set")
 	}
diff --git a/internal/endpoints/revocation/revocationEndpoint.go b/internal/endpoints/revocation/revocationEndpoint.go
index 036eb2f5..332f2e97 100644
--- a/internal/endpoints/revocation/revocationEndpoint.go
+++ b/internal/endpoints/revocation/revocationEndpoint.go
@@ -46,7 +46,7 @@ func HandleRevoke(ctx *fiber.Ctx) error {
 				Value:    "",
 				Path:     "/api",
 				Expires:  time.Date(1970, 1, 1, 0, 0, 0, 0, time.UTC),
-				Secure:   config.Get().Server.TLS.Enabled,
+				Secure:   config.Get().Server.Secure,
 				HTTPOnly: true,
 				SameSite: "Strict",
 			}},
diff --git a/internal/oidc/authcode/authcode.go b/internal/oidc/authcode/authcode.go
index 2a6b8439..88b195c4 100644
--- a/internal/oidc/authcode/authcode.go
+++ b/internal/oidc/authcode/authcode.go
@@ -244,7 +244,7 @@ func CodeExchange(oState *state.State, code string, networkData api.ClientMetaDa
 			Value:    cookieValue,
 			Path:     "/api",
 			MaxAge:   cookieAge,
-			Secure:   config.Get().Server.TLS.Enabled,
+			Secure:   config.Get().Server.Secure,
 			HTTPOnly: true,
 			SameSite: "Strict",
 		}},
-- 
GitLab