From 5824dc9a2ee0e74aba17a4063cb275b6b9d52636 Mon Sep 17 00:00:00 2001 From: Simon Coe Date: Tue, 3 Oct 2023 13:34:04 +0000 Subject: [PATCH] set SameSite cookie attribute to lax for CV and NONCE This enables authentication that isn't embeded into the same site. e.g. changing host to Okta to log in, then back to site once authenticated. --- authn/github.index.js | 14 ++++++++++++-- authn/openid.index.js | 30 ++++++++++++++++++++++-------- authn/pkce.index.js | 32 +++++++++++++++++++++++--------- 3 files changed, 57 insertions(+), 19 deletions(-) diff --git a/authn/github.index.js b/authn/github.index.js index 809c1cb..1686a0a 100644 --- a/authn/github.index.js +++ b/authn/github.index.js @@ -161,7 +161,12 @@ function redirect(request, headers, callback) { }], "set-cookie" : [{ "key": "Set-Cookie", - "value" : cookie.serialize('TOKEN', '', { path: '/', expires: new Date(1970, 1, 1, 0, 0, 0, 0) }) + "value" : cookie.serialize('TOKEN', '', { + path: '/', + expires: new Date(1970, 1, 1, 0, 0, 0, 0), + sameSite: 'strict', + secure: true + }) }], }, }; @@ -180,7 +185,12 @@ function unauthorized(body, callback) { }], "set-cookie" : [{ "key": "Set-Cookie", - "value" : cookie.serialize('TOKEN', '', { path: '/', expires: new Date(1970, 1, 1, 0, 0, 0, 0) }) + "value" : cookie.serialize('TOKEN', '', { + path: '/', + expires: new Date(1970, 1, 1, 0, 0, 0, 0), + sameSite: 'strict', + secure: true + }) }], }, }; diff --git a/authn/openid.index.js b/authn/openid.index.js index 9afb500..5190860 100644 --- a/authn/openid.index.js +++ b/authn/openid.index.js @@ -196,7 +196,9 @@ function mainProcess(event, context, callback) { "key": "Set-Cookie", "value" : cookie.serialize('NONCE', '', { path: '/', - expires: new Date(1970, 1, 1, 0, 0, 0, 0) + expires: new Date(1970, 1, 1, 0, 0, 0, 0), + sameSite: 'lax', + secure: true }) } ], @@ -240,21 +242,27 @@ function mainProcess(event, context, callback) { "key": "Set-Cookie", "value" : cookie.serialize('TOKEN', '', { path: '/', - expires: new Date(1970, 1, 1, 0, 0, 0, 0) + expires: new Date(1970, 1, 1, 0, 0, 0, 0), + sameSite: 'strict', + secure: true }) }, { "key": "Set-Cookie", "value" : cookie.serialize('CV', '', { path: '/', - expires: new Date(1970, 1, 1, 0, 0, 0, 0) + expires: new Date(1970, 1, 1, 0, 0, 0, 0), + sameSite: 'lax', + secure: true }) }, { "key": "Set-Cookie", "value" : cookie.serialize('NONCE', '', { path: '/', - expires: new Date(1970, 1, 1, 0, 0, 0, 0) + expires: new Date(1970, 1, 1, 0, 0, 0, 0), + sameSite: 'lax', + secure: true }) } ], @@ -318,7 +326,9 @@ function redirect(request, headers, callback) { "key": "Set-Cookie", "value" : cookie.serialize('TOKEN', '', { path: '/', - expires: new Date(1970, 1, 1, 0, 0, 0, 0) + expires: new Date(1970, 1, 1, 0, 0, 0, 0), + sameSite: 'strict', + secure: true }) }, { @@ -326,7 +336,7 @@ function redirect(request, headers, callback) { "value" : cookie.serialize('NONCE', n[1], { path: '/', httpOnly: true, - sameSite: 'strict', + sameSite: 'lax', secure: true }) } @@ -370,14 +380,18 @@ function unauthorized(error, error_description, error_uri, callback) { "key": "Set-Cookie", "value" : cookie.serialize('TOKEN', '', { path: '/', - expires: new Date(1970, 1, 1, 0, 0, 0, 0) + expires: new Date(1970, 1, 1, 0, 0, 0, 0), + sameSite: 'strict', + secure: true }) }, { "key": "Set-Cookie", "value" : cookie.serialize('NONCE', '', { path: '/', - expires: new Date(1970, 1, 1, 0, 0, 0, 0) + expires: new Date(1970, 1, 1, 0, 0, 0, 0), + sameSite: 'lax', + secure: true }) } ], diff --git a/authn/pkce.index.js b/authn/pkce.index.js index 1b98128..5b57717 100755 --- a/authn/pkce.index.js +++ b/authn/pkce.index.js @@ -195,7 +195,9 @@ function mainProcess(event, context, callback) { "key": "Set-Cookie", "value" : cookie.serialize('NONCE', '', { path: '/', - expires: new Date(1970, 1, 1, 0, 0, 0, 0) + expires: new Date(1970, 1, 1, 0, 0, 0, 0), + sameSite: 'lax', + secure: true }) } ], @@ -239,21 +241,27 @@ function mainProcess(event, context, callback) { "key": "Set-Cookie", "value" : cookie.serialize('TOKEN', '', { path: '/', - expires: new Date(1970, 1, 1, 0, 0, 0, 0) + expires: new Date(1970, 1, 1, 0, 0, 0, 0), + sameSite: 'strict', + secure: true }) }, { "key": "Set-Cookie", "value" : cookie.serialize('CV', '', { path: '/', - expires: new Date(1970, 1, 1, 0, 0, 0, 0) + expires: new Date(1970, 1, 1, 0, 0, 0, 0), + sameSite: 'lax', + secure: true }) }, { "key": "Set-Cookie", "value" : cookie.serialize('NONCE', '', { path: '/', - expires: new Date(1970, 1, 1, 0, 0, 0, 0) + expires: new Date(1970, 1, 1, 0, 0, 0, 0), + sameSite: 'lax', + secure: true }) } ], @@ -332,7 +340,9 @@ function redirect(request, headers, callback) { "key": "Set-Cookie", "value" : cookie.serialize('TOKEN', '', { path: '/', - expires: new Date(1970, 1, 1, 0, 0, 0, 0) + expires: new Date(1970, 1, 1, 0, 0, 0, 0), + sameSite: 'strict', + secure: true }) }, { @@ -340,7 +350,7 @@ function redirect(request, headers, callback) { "value" : cookie.serialize('NONCE', n[1], { path: '/', httpOnly: true, - sameSite: 'strict', + sameSite: 'lax', secure: true }) }, @@ -349,7 +359,7 @@ function redirect(request, headers, callback) { "value" : cookie.serialize('CV', challenge[0], { path: '/', httpOnly: true, - sameSite: 'strict', + sameSite: 'lax', secure: true }) } @@ -394,14 +404,18 @@ function unauthorized(error, error_description, error_uri, callback) { "key": "Set-Cookie", "value" : cookie.serialize('TOKEN', '', { path: '/', - expires: new Date(1970, 1, 1, 0, 0, 0, 0) + expires: new Date(1970, 1, 1, 0, 0, 0, 0), + sameSite: 'strict', + secure: true }) }, { "key": "Set-Cookie", "value" : cookie.serialize('NONCE', '', { path: '/', - expires: new Date(1970, 1, 1, 0, 0, 0, 0) + expires: new Date(1970, 1, 1, 0, 0, 0, 0), + sameSite: 'lax', + secure: true }) } ],