Auth: Keep OIDC RP state and PKCE cookies Secure on HTTPS

Gate the OIDC relying-party cookie handler's WithUnsecure() on the existing
insecure flag instead of applying it unconditionally, so the round-trip state
(CSRF defense) and PKCE code_verifier cookies retain the Secure attribute on
HTTPS deployments. Addresses audit finding OJW-260603-02 (GO-HTTP-005).
This commit is contained in:
Michael Mayer 2026-06-03 16:10:39 +00:00
parent 51c4eed71e
commit d48ef12c99

View file

@ -62,8 +62,15 @@ func NewClient(issuerUri *url.URL, oidcClient, oidcSecret, oidcScopes, siteUrl s
return nil, err
}
// Create cookie handler.
cookieHandler := utils.NewCookieHandler(hashKey, encryptKey, utils.WithUnsecure())
// Create cookie handler. The short-lived state (CSRF defense) and PKCE
// code_verifier cookies keep the Secure attribute on HTTPS deployments; it is
// only dropped when running insecurely (HTTP issuer / relaxed TLS), gated by the
// same flag that already permits a non-HTTPS issuer.
var cookieOpts []utils.CookieHandlerOpt
if insecure {
cookieOpts = append(cookieOpts, utils.WithUnsecure())
}
cookieHandler := utils.NewCookieHandler(hashKey, encryptKey, cookieOpts...)
// Create HTTP client.
httpClient := HttpClient(insecure)