gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 14:51:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

harden(auth/cookies): __Host- prefix on all three auth cookies (MED-14, BREAKING)

Browse Source 
Audit 2026-05-10 — close MED-14 from the HANDOFF.md backend batch
(item 5). The session, CSRF, and OIDC pre-login cookies all carry
the __Host- prefix; browsers now reject any subdomain attempt to
overwrite them.

Cookie name changes (BREAKING — existing sessions invalidate):
  - certctl_session       → __Host-certctl_session
  - certctl_csrf          → __Host-certctl_csrf
  - certctl_oidc_pending  → __Host-certctl_oidc_pending

The __Host- prefix requires Path=/ + Secure + no Domain attribute.
Post-login session + CSRF cookies already met all three. The pre-login
cookie's Path widened from '/auth/oidc/' to '/' to satisfy the prefix;
the cookie lives 10 minutes and is only consumed by the callback
handler, so the wider path scope is harmless.

Files touched:
  - internal/auth/session/domain/types.go — constant rename + comment
  - internal/auth/session/domain/types_test.go — assertion update
  - internal/api/handler/auth_session_oidc.go — pre-login set + clear
    paths widened from /auth/oidc/ to /
  - web/src/api/client.ts — readCSRFCookie now compares against
    '__Host-certctl_csrf'
  - CHANGELOG.md — Unreleased > Security (BREAKING) entry
  - docs/migration/oidc-enable.md — operator-facing detail of the
    one-time re-authentication window + GUI customization guidance

Operator impact: ONE re-login prompt per active session at the deploy
that lands this change. Subsequent logins issue the __Host-prefixed
cookie automatically. Existing bookmarked deep links work without
modification (cookies are path-scoped, not URL-scoped).

Refs: cowork/auth-bundles-fixes-2026-05-10/HANDOFF.md item 5
      cowork/auth-bundles-audit-2026-05-10.md MED-14
This commit is contained in:
shankar0123
2026-05-10 22:52:53 +00:00
parent 72b54ce850
commit 874419989d
6 changed files with 100 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/api/handler/auth_session_oidc.go
+12 -6
View File
@@ -243,9 +243,12 @@ func (h *AuthSessionOIDCHandler) LoginInitiate(w http.ResponseWriter, r *http.Re
return
}
http.SetCookie(w, &http.Cookie{
Name: sessiondomain.PreLoginCookieName,
Value: cookieValue,
Path: "/auth/oidc/",
Name: sessiondomain.PreLoginCookieName,
Value: cookieValue,
// Audit 2026-05-10 MED-14 — `__Host-` prefix requires Path=/.
// The cookie lives 10 minutes and is only ever consumed by the
// callback handler; the wider path scope is harmless.
Path: "/",
MaxAge: int((10 * time.Minute).Seconds()),
Secure: h.cookieAttrs.Secure,
HttpOnly: true,
@@ -1104,9 +1107,12 @@ func (h *AuthSessionOIDCHandler) recordAudit(ctx context.Context, action, actor
func (h *AuthSessionOIDCHandler) clearPreLoginCookie(w http.ResponseWriter) {
http.SetCookie(w, &http.Cookie{
Name: sessiondomain.PreLoginCookieName,
Value: "",
Path: "/auth/oidc/",
Name: sessiondomain.PreLoginCookieName,
Value: "",
// Audit 2026-05-10 MED-14 — Path=/ matches the write site
// post-`__Host-` rename. The browser only clears cookies that
// match the original Set-Cookie's Name+Path+Domain triple.
Path: "/",
MaxAge: -1,
Secure: h.cookieAttrs.Secure,
HttpOnly: true,