config: allow dynamic configuration of cookie settings (#1267)

2025-05-09 15:17:39 +02:00 · 2020-08-13 08:11:34 -06:00 · 2020-08-13 08:11:34 -06:00 · fbf5b403b9
commit fbf5b403b9
parent 0c51ad0e66
17 changed files with 184 additions and 165 deletions
--- a/authenticate/authenticate.go
+++ b/authenticate/authenticate.go
@ -110,6 +110,8 @@ type Authenticate struct {
 	jwk *jose.JSONWebKeySet

 	templates *template.Template
+
+	options *config.AtomicOptions
 }

 // New validates and creates a new authenticate service from a set of Options.
@ -138,11 +140,6 @@ func New(opts *config.Options) (*Authenticate, error) {
 		Expire:   opts.CookieExpire,
 	}

-	cookieStore, err := cookie.NewStore(cookieOptions, sharedEncoder)
-	if err != nil {
-		return nil, err
-	}
-
 	dataBrokerConn, err := grpc.NewGRPCClientConn(
 		&grpc.Options{
 			Addr:                    opts.DataBrokerURL,
@ -192,9 +189,7 @@ func New(opts *config.Options) (*Authenticate, error) {
 		cookieSecret:     decodedCookieSecret,
 		cookieCipher:     cookieCipher,
 		cookieOptions:    cookieOptions,
-		sessionStore:     cookieStore,
 		encryptedEncoder: encryptedEncoder,
-		sessionLoaders:   []sessions.SessionLoader{qpStore, headerStore, cookieStore},
 		// IdP
 		provider:     provider,
 		providerName: opts.Provider,
@ -202,8 +197,26 @@ func New(opts *config.Options) (*Authenticate, error) {
 		dataBrokerClient: dataBrokerClient,
 		jwk:              &jose.JSONWebKeySet{},
 		templates:        template.Must(frontend.NewTemplates()),
+		options:          config.NewAtomicOptions(),
 	}

+	cookieStore, err := cookie.NewStore(func() cookie.Options {
+		opts := a.options.Load()
+		return cookie.Options{
+			Name:     opts.CookieName,
+			Domain:   opts.CookieDomain,
+			Secure:   opts.CookieSecure,
+			HTTPOnly: opts.CookieHTTPOnly,
+			Expire:   opts.CookieExpire,
+		}
+	}, sharedEncoder)
+	if err != nil {
+		return nil, err
+	}
+
+	a.sessionStore = cookieStore
+	a.sessionLoaders = []sessions.SessionLoader{qpStore, headerStore, cookieStore}
+
 	if opts.SigningKey != "" {
 		decodedCert, err := base64.StdEncoding.DecodeString(opts.SigningKey)
 		if err != nil {
@ -236,5 +249,6 @@ func (a *Authenticate) OnConfigChange(cfg *config.Config) {
 	}

 	log.Info().Str("checksum", fmt.Sprintf("%x", cfg.Options.Checksum())).Msg("authenticate: updating options")
+	a.options.Store(cfg.Options)
 	a.setAdminUsers(cfg.Options)
 }