- adding the http-only option for cookies (#127)

5ab537a6 · Rohith · GitHub · f44d6c5b · 5ab537a6 · 5ab537a6
Commit 5ab537a6 authored Aug 26, 2016 by Rohith Committed by GitHub Aug 26, 2016
--- a/cli.go
+++ b/cli.go
@@ -172,6 +172,10 @@ func getCLIOptions() []cli.Flag {
 			Name:  "secure-cookie",
 			Usage: "enforces the cookie to be secure, default to true",
 		},
+		cli.BoolFlag{
+			Name:  "http-only-cookie",
+			Usage: "enforces the cookie is in http only mode, default to false",
+		},
 		cli.StringSliceFlag{
 			Name:  "cookie-domain",
 			Usage: "a domain the access cookie is available to, defaults host header",
@@ -369,6 +373,9 @@ func parseCLIOptions(cx *cli.Context, config *Config) (err error) {
 	if cx.IsSet("secure-cookie") {
 		config.SecureCookie = cx.Bool("secure-cookie")
 	}
+	if cx.IsSet("http-only-cookie") {
+		config.HTTPOnlyCookie = cx.Bool("http-only-cookie")
+	}
 	if cx.IsSet("cookie-access-name") {
 		config.CookieAccessName = cx.String("cookie-access-name")
 	}

--- a/cookies.go
+++ b/cookies.go
@@ -35,6 +35,7 @@ func (r *oauthProxy) dropCookie(cx *gin.Context, name, value string, duration ti
 	cookie := &http.Cookie{
 		Name:     name,
 		Domain:   domain,
+		HttpOnly: r.config.HTTPOnlyCookie,
 		Path:     "/",
 		Secure:   r.config.SecureCookie,
 		Value:    value,

--- a/cookies_test.go
+++ b/cookies_test.go
@@ -54,6 +54,25 @@ func TestDropCookie(t *testing.T) {
 		"we have not set the cookie, headers: %v", context.Writer.Header())
 }

+func TestHTTPOnlyCookie(t *testing.T) {
+	p, _, _ := newTestProxyService(nil)
+
+	context := newFakeGinContext("GET", "/admin")
+	p.dropCookie(context, "test-cookie", "test-value", 0)
+
+	assert.Equal(t, context.Writer.Header().Get("Set-Cookie"),
+		"test-cookie=test-value; Path=/; Domain=127.0.0.1",
+		"we have not set the cookie, headers: %v", context.Writer.Header())
+
+	context = newFakeGinContext("GET", "/admin")
+	p.config.HTTPOnlyCookie = true
+	p.dropCookie(context, "test-cookie", "test-value", 0)
+
+	assert.Equal(t, context.Writer.Header().Get("Set-Cookie"),
+		"test-cookie=test-value; Path=/; Domain=127.0.0.1; HttpOnly",
+		"we have not set the cookie, headers: %v", context.Writer.Header())
+}
+
 func TestClearAccessTokenCookie(t *testing.T) {
 	p, _, _ := newTestProxyService(nil)
 	context := newFakeGinContext("GET", "/admin")

--- a/doc.go
+++ b/doc.go
@@ -138,6 +138,8 @@ type Config struct {
 	CookieRefreshName string `json:"cookie-refresh-name" yaml:"cookie-refresh-name"`
 	// SecureCookie enforces the cookie as secure
 	SecureCookie bool `json:"secure-cookie" yaml:"secure-cookie"`
+	// HTTPOnlyCookie enforces the cookie as http only
+	HTTPOnlyCookie bool `json:"http-only-cookie" yaml:"http-only-cookie"`

 	// MatchClaims is a series of checks, the claims in the token must match those here
 	MatchClaims map[string]string `json:"match-claims" yaml:"match-claims"`