mirror of
https://github.com/photoprism/photoprism.git
synced 2026-07-17 16:49:04 +00:00
Auth: Keep OIDC RP state and PKCE cookies Secure on HTTPS
Gate the OIDC relying-party cookie handler's WithUnsecure() on the existing insecure flag instead of applying it unconditionally, so the round-trip state (CSRF defense) and PKCE code_verifier cookies retain the Secure attribute on HTTPS deployments. Addresses audit finding OJW-260603-02 (GO-HTTP-005).
This commit is contained in:
parent
51c4eed71e
commit
d48ef12c99
1 changed files with 9 additions and 2 deletions
|
|
@ -62,8 +62,15 @@ func NewClient(issuerUri *url.URL, oidcClient, oidcSecret, oidcScopes, siteUrl s
|
|||
return nil, err
|
||||
}
|
||||
|
||||
// Create cookie handler.
|
||||
cookieHandler := utils.NewCookieHandler(hashKey, encryptKey, utils.WithUnsecure())
|
||||
// Create cookie handler. The short-lived state (CSRF defense) and PKCE
|
||||
// code_verifier cookies keep the Secure attribute on HTTPS deployments; it is
|
||||
// only dropped when running insecurely (HTTP issuer / relaxed TLS), gated by the
|
||||
// same flag that already permits a non-HTTPS issuer.
|
||||
var cookieOpts []utils.CookieHandlerOpt
|
||||
if insecure {
|
||||
cookieOpts = append(cookieOpts, utils.WithUnsecure())
|
||||
}
|
||||
cookieHandler := utils.NewCookieHandler(hashKey, encryptKey, cookieOpts...)
|
||||
|
||||
// Create HTTP client.
|
||||
httpClient := HttpClient(insecure)
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue