From 5a4acc5cd3a764b9812bb01d0af56a0e7ec7599c Mon Sep 17 00:00:00 2001
From: Kenneth Jenkins <51246568+kenjenkins@users.noreply.github.com>
Date: Wed, 23 Aug 2023 10:43:01 -0700
Subject: [PATCH] config: validate cookie_secure option (#4484)

Do not allow the combination of 'cookie_same_site: none' and
'cookie_secure: false'.

Cookies with SameSite=None must also set the Secure option, see
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#none.
---
 config/options.go      | 2 ++
 config/options_test.go | 4 ++++
 2 files changed, 6 insertions(+)

diff --git a/config/options.go b/config/options.go
index 1f2838890..f48af08ce 100644
--- a/config/options.go
+++ b/config/options.go
@@ -767,6 +767,8 @@ func (o *Options) Validate() error {
 
 	if err := ValidateCookieSameSite(o.CookieSameSite); err != nil {
 		return fmt.Errorf("config: invalid cookie_same_site: %w", err)
+	} else if !o.CookieSecure && o.GetCookieSameSite() == http.SameSiteNoneMode {
+		return errors.New("config: cannot use cookie_same_site: none with cookie_secure: false")
 	}
 
 	if err := ValidateLogLevel(o.LogLevel); err != nil {
diff --git a/config/options_test.go b/config/options_test.go
index b817ee22c..9f1dd54c7 100644
--- a/config/options_test.go
+++ b/config/options_test.go
@@ -62,6 +62,9 @@ func Test_Validate(t *testing.T) {
 	missingStorageDSN.DataBrokerStorageType = "redis"
 	badSignoutRedirectURL := testOptions()
 	badSignoutRedirectURL.SignOutRedirectURLString = "--"
+	badCookieSettings := testOptions()
+	badCookieSettings.CookieSameSite = "none"
+	badCookieSettings.CookieSecure = false
 
 	tests := []struct {
 		name     string
@@ -76,6 +79,7 @@ func Test_Validate(t *testing.T) {
 		{"invalid databroker storage type", invalidStorageType, true},
 		{"missing databroker storage dsn", missingStorageDSN, true},
 		{"invalid signout redirect url", badSignoutRedirectURL, true},
+		{"CookieSameSite none with CookieSecure fale", badCookieSettings, true},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {