Support setting cookie domain (#6288)

Signed-off-by: Tamal Saha <tamal@appscode.com>

diff --git a/custom/conf/app.ini.sample b/custom/conf/app.ini.sample
index e44cc90a4bfbf07d8340c232673dfb3866186802..02129647505924572ea85a9d79872bfd5378f438 100644 (file)
--- a/custom/conf/app.ini.sample
+++ b/custom/conf/app.ini.sample
@@ -321,6 +321,8 @@ IMPORT_LOCAL_PATHS = false
 DISABLE_GIT_HOOKS = false
 ; Password Hash algorithm, either "pbkdf2", "argon2", "scrypt" or "bcrypt"
 PASSWORD_HASH_ALGO = pbkdf2
+; Set false to allow JavaScript to read CSRF cookie
+CSRF_COOKIE_HTTP_ONLY = true
 
 [openid]
 ;

diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
index 61905f8ad8d9ebfe394391380cb03c7f523979e9..6f3bc465a659a2e2c46755b7753188ee822a70e5 100644 (file)
--- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md
+++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
@@ -198,6 +198,7 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`.
 - `INTERNAL_TOKEN`: **\<random at every install if no uri set\>**: Secret used to validate communication within Gitea binary.
 - `INTERNAL_TOKEN_URI`: **<empty>**: Instead of defining internal token in the configuration, this configuration option can be used to give Gitea a path to a file that contains the internal token (example value: `file:/etc/gitea/internal_token`)
 - `PASSWORD_HASH_ALGO`: **pbkdf2**: The hash algorithm to use \[pbkdf2, argon2, scrypt, bcrypt\].
+- `CSRF_COOKIE_HTTP_ONLY`: **true**: Set false to allow JavaScript to read CSRF cookie.
 
 ## OpenID (`openid`)
 

diff --git a/go.mod b/go.mod
index 8fdf57b3fcdbfd9912dccf05008fb5f0313e6b88..182f8aca98bd96dbbd11bef44a1bf86cb0e7d279 100644 (file)
--- a/go.mod
+++ b/go.mod
@@ -47,8 +47,8 @@ require (
        github.com/go-macaron/cache v0.0.0-20151013081102-561735312776
        github.com/go-macaron/captcha v0.0.0-20190710000913-8dc5911259df
        github.com/go-macaron/cors v0.0.0-20190309005821-6fd6a9bfe14e9
-       github.com/go-macaron/csrf v0.0.0-20180426211211-503617c6b372
-       github.com/go-macaron/i18n v0.0.0-20160612092837-ef57533c3b0f
+       github.com/go-macaron/csrf v0.0.0-20190131233648-3751b136073c
+       github.com/go-macaron/i18n v0.0.0-20190131234336-56731837a73b
        github.com/go-macaron/inject v0.0.0-20160627170012-d8a0b8677191
        github.com/go-macaron/session v0.0.0-20190131233854-0a0a789bf193
        github.com/go-macaron/toolbox v0.0.0-20180818072302-a77f45a7ce90

diff --git a/go.sum b/go.sum
index 8a617be49cb560ffa808cfaf3d730ecd343165df..5256f0ce8097764a9ec650b647d7bd27f52fead1 100644 (file)
--- a/go.sum
+++ b/go.sum
@@ -117,10 +117,10 @@ github.com/go-macaron/captcha v0.0.0-20190710000913-8dc5911259df h1:MdgvtI3Y1u/D
 github.com/go-macaron/captcha v0.0.0-20190710000913-8dc5911259df/go.mod h1:j9TJ+0nwUOWBvNnm0bheHIPFf3cC62EQo7n7O6PbjZA=
 github.com/go-macaron/cors v0.0.0-20190309005821-6fd6a9bfe14e9 h1:A0QGzY6UHHEil0I2e7C21JenNNG0mmrj5d9SFWTlgr8=
 github.com/go-macaron/cors v0.0.0-20190309005821-6fd6a9bfe14e9/go.mod h1:utmMRnVIrXPSfA9MFcpIYKEpKawjKxf62vv62k4707E=
-github.com/go-macaron/csrf v0.0.0-20180426211211-503617c6b372 h1:acrx8CnDmlKl+BPoOOLEK9Ko+SrWFB5pxRuGkKj4iqo=
-github.com/go-macaron/csrf v0.0.0-20180426211211-503617c6b372/go.mod h1:oZGMxI7MBnicI0jJqJvH4qQzyrWKhtiKxLSJKHC+ydc=
-github.com/go-macaron/i18n v0.0.0-20160612092837-ef57533c3b0f h1:wDKrZFc9pYJlqFOf7EzGbFMrSFFtyHt3plr2uTdo8Rg=
-github.com/go-macaron/i18n v0.0.0-20160612092837-ef57533c3b0f/go.mod h1:MePM/dStkAh+PNzAdNSNl4SGDM2EZvZGken+KpJhM7s=
+github.com/go-macaron/csrf v0.0.0-20190131233648-3751b136073c h1:yCyrJuFaxKX/VoV9hHqYXhkFEMtg+Hxsiitk1z/lHfQ=
+github.com/go-macaron/csrf v0.0.0-20190131233648-3751b136073c/go.mod h1:oZGMxI7MBnicI0jJqJvH4qQzyrWKhtiKxLSJKHC+ydc=
+github.com/go-macaron/i18n v0.0.0-20190131234336-56731837a73b h1:p19t0uFyv0zkBwp4dafzU3EcpHilHNffTVDmxpn/M+w=
+github.com/go-macaron/i18n v0.0.0-20190131234336-56731837a73b/go.mod h1:MePM/dStkAh+PNzAdNSNl4SGDM2EZvZGken+KpJhM7s=
 github.com/go-macaron/inject v0.0.0-20160627170012-d8a0b8677191 h1:NjHlg70DuOkcAMqgt0+XA+NHwtu66MkTVVgR4fFWbcI=
 github.com/go-macaron/inject v0.0.0-20160627170012-d8a0b8677191/go.mod h1:VFI2o2q9kYsC4o7VP1HrEVosiZZTd+MVT3YZx4gqvJw=
 github.com/go-macaron/session v0.0.0-20190131233854-0a0a789bf193 h1:z/nqwd+ql/r6Q3QGnwNd6B89UjPytM0be5pDQV9TuWw=

diff --git a/modules/setting/session.go b/modules/setting/session.go
index 313c3c76b5a47b27832f7220331f852f4ba3cc4b..7009576ccb4ac1c81fc67bd4a323a72daca0abd7 100644 (file)
--- a/modules/setting/session.go
+++ b/modules/setting/session.go
@@ -34,6 +34,7 @@ func newSessionService() {
        SessionConfig.Secure = Cfg.Section("session").Key("COOKIE_SECURE").MustBool(false)
        SessionConfig.Gclifetime = Cfg.Section("session").Key("GC_INTERVAL_TIME").MustInt64(86400)
        SessionConfig.Maxlifetime = Cfg.Section("session").Key("SESSION_LIFE_TIME").MustInt64(86400)
+       SessionConfig.Domain = Cfg.Section("session").Key("DOMAIN").String()
 
        shadowConfig, err := json.Marshal(SessionConfig)
        if err != nil {

diff --git a/modules/setting/setting.go b/modules/setting/setting.go
index 7201f0619d4d38a13287cddd004d102be91f94fb..6a5c5a36d706406c305d417534dfca4dfc4eac1e 100644 (file)
--- a/modules/setting/setting.go
+++ b/modules/setting/setting.go
@@ -287,7 +287,8 @@ var (
        // Time settings
        TimeFormat string
 
-       CSRFCookieName = "_csrf"
+       CSRFCookieName     = "_csrf"
+       CSRFCookieHTTPOnly = true
 
        // Mirror settings
        Mirror struct {
@@ -781,6 +782,8 @@ func NewContext() {
        ImportLocalPaths = sec.Key("IMPORT_LOCAL_PATHS").MustBool(false)
        DisableGitHooks = sec.Key("DISABLE_GIT_HOOKS").MustBool(false)
        PasswordHashAlgo = sec.Key("PASSWORD_HASH_ALGO").MustString("pbkdf2")
+       CSRFCookieHTTPOnly = sec.Key("CSRF_COOKIE_HTTP_ONLY").MustBool(true)
+
        InternalToken = loadInternalToken(sec)
        IterateBufferSize = Cfg.Section("database").Key("ITERATE_BUFFER_SIZE").MustInt(50)
        LogSQL = Cfg.Section("database").Key("LOG_SQL").MustBool(true)

diff --git a/routers/routes/routes.go b/routers/routes/routes.go
index ec57e8f5fdac7b9c8a65162e4fd5bf3b514cf0fd..c81d56064c3d151080ec36b17b60fab65154f192 100644 (file)
--- a/routers/routes/routes.go
+++ b/routers/routes/routes.go
@@ -181,12 +181,13 @@ func NewMacaron() *macaron.Macaron {
        }
 
        m.Use(i18n.I18n(i18n.Options{
-               SubURL:      setting.AppSubURL,
-               Files:       localFiles,
-               Langs:       setting.Langs,
-               Names:       setting.Names,
-               DefaultLang: "en-US",
-               Redirect:    false,
+               SubURL:       setting.AppSubURL,
+               Files:        localFiles,
+               Langs:        setting.Langs,
+               Names:        setting.Names,
+               DefaultLang:  "en-US",
+               Redirect:     false,
+               CookieDomain: setting.SessionConfig.Domain,
        }))
        m.Use(cache.Cacher(cache.Options{
                Adapter:       setting.CacheService.Adapter,
@@ -202,8 +203,9 @@ func NewMacaron() *macaron.Macaron {
                Cookie:         setting.CSRFCookieName,
                SetCookie:      true,
                Secure:         setting.SessionConfig.Secure,
-               CookieHttpOnly: true,
+               CookieHttpOnly: setting.CSRFCookieHTTPOnly,
                Header:         "X-Csrf-Token",
+               CookieDomain:   setting.SessionConfig.Domain,
                CookiePath:     setting.AppSubURL,
        }))
        m.Use(toolbox.Toolboxer(m, toolbox.Options{

diff --git a/routers/user/auth.go b/routers/user/auth.go
index 8203593739e8c7d4546ece4d28dae6a101607884..f78171a1b72ed2421a39fddd33764bbbdd1d75b7 100644 (file)
--- a/routers/user/auth.go
+++ b/routers/user/auth.go
@@ -58,8 +58,8 @@ func AutoSignIn(ctx *context.Context) (bool, error) {
        defer func() {
                if !isSucceed {
                        log.Trace("auto-login cookie cleared: %s", uname)
-                       ctx.SetCookie(setting.CookieUserName, "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
-                       ctx.SetCookie(setting.CookieRememberName, "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
+                       ctx.SetCookie(setting.CookieUserName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true)
+                       ctx.SetCookie(setting.CookieRememberName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true)
                }
        }()
 
@@ -85,7 +85,7 @@ func AutoSignIn(ctx *context.Context) (bool, error) {
        if err != nil {
                return false, err
        }
-       ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
+       ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true)
        return true, nil
 }
 
@@ -475,9 +475,9 @@ func handleSignIn(ctx *context.Context, u *models.User, remember bool) {
 func handleSignInFull(ctx *context.Context, u *models.User, remember bool, obeyRedirect bool) string {
        if remember {
                days := 86400 * setting.LogInRememberDays
-               ctx.SetCookie(setting.CookieUserName, u.Name, days, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
+               ctx.SetCookie(setting.CookieUserName, u.Name, days, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true)
                ctx.SetSuperSecureCookie(base.EncodeMD5(u.Rands+u.Passwd),
-                       setting.CookieRememberName, u.Name, days, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
+                       setting.CookieRememberName, u.Name, days, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true)
        }
 
        _ = ctx.Session.Delete("openid_verified_uri")
@@ -507,10 +507,10 @@ func handleSignInFull(ctx *context.Context, u *models.User, remember bool, obeyR
                }
        }
 
-       ctx.SetCookie("lang", u.Language, nil, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
+       ctx.SetCookie("lang", u.Language, nil, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true)
 
        // Clear whatever CSRF has right now, force to generate a new one
-       ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
+       ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true)
 
        // Register last login
        u.SetLastLogin()
@@ -610,7 +610,7 @@ func handleOAuth2SignIn(u *models.User, gothUser goth.User, ctx *context.Context
                        }
 
                        // Clear whatever CSRF has right now, force to generate a new one
-                       ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
+                       ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true)
 
                        // Register last login
                        u.SetLastLogin()
@@ -968,10 +968,10 @@ func handleSignOut(ctx *context.Context) {
        _ = ctx.Session.Delete("socialId")
        _ = ctx.Session.Delete("socialName")
        _ = ctx.Session.Delete("socialEmail")
-       ctx.SetCookie(setting.CookieUserName, "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
-       ctx.SetCookie(setting.CookieRememberName, "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
-       ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
-       ctx.SetCookie("lang", "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true) // Setting the lang cookie will trigger the middleware to reset the language ot previous state.
+       ctx.SetCookie(setting.CookieUserName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true)
+       ctx.SetCookie(setting.CookieRememberName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true)
+       ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true)
+       ctx.SetCookie("lang", "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true) // Setting the lang cookie will trigger the middleware to reset the language ot previous state.
 }
 
 // SignOut sign out from login status

diff --git a/routers/user/setting/profile.go b/routers/user/setting/profile.go
index 163bc869b4a167fb3077776b8b922309f60605b2..64828e90eed06c32aa12b9be57668b8ff476d761 100644 (file)
--- a/routers/user/setting/profile.go
+++ b/routers/user/setting/profile.go
@@ -104,7 +104,7 @@ func ProfilePost(ctx *context.Context, form auth.UpdateProfileForm) {
        }
 
        // Update the language to the one we just set
-       ctx.SetCookie("lang", ctx.User.Language, nil, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
+       ctx.SetCookie("lang", ctx.User.Language, nil, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true)
 
        log.Trace("User settings updated: %s", ctx.User.Name)
        ctx.Flash.Success(i18n.Tr(ctx.User.Language, "settings.update_profile_success"))

diff --git a/vendor/github.com/go-macaron/csrf/.travis.yml b/vendor/github.com/go-macaron/csrf/.travis.yml
index 8d6a90868cf32a0db088d87f036cc81f5f87e620..81680f0f025336b890b46fe7fa6820d72c888d51 100644 (file)
--- a/vendor/github.com/go-macaron/csrf/.travis.yml
+++ b/vendor/github.com/go-macaron/csrf/.travis.yml
@@ -1,7 +1,6 @@
 sudo: false
 language: go
 go:
-  - 1.5.x
   - 1.6.x
   - 1.7.x
   - 1.8.x

diff --git a/vendor/github.com/go-macaron/csrf/csrf.go b/vendor/github.com/go-macaron/csrf/csrf.go
index 19c9b479fa2570212d72f9ec3d09e4f458682930..00f3c3c9c08ac6faaa8ac8b02a5fe8476eefc0be 100644 (file)
--- a/vendor/github.com/go-macaron/csrf/csrf.go
+++ b/vendor/github.com/go-macaron/csrf/csrf.go
@@ -25,7 +25,7 @@ import (
        "gopkg.in/macaron.v1"
 )
 
-const _VERSION = "0.1.0"
+const _VERSION = "0.1.1"
 
 func Version() string {
        return _VERSION
@@ -58,6 +58,8 @@ type csrf struct {
        Form string
        // Cookie name value for setting and getting csrf token.
        Cookie string
+       //Cookie domain
+       CookieDomain string
        //Cookie path
        CookiePath string
        // Cookie HttpOnly flag value used for the csrf token.
@@ -123,8 +125,10 @@ type Options struct {
        Form string
        // Cookie value used to set and get token.
        Cookie string
+       // Cookie domain.
+       CookieDomain string
        // Cookie path.
-       CookiePath string
+       CookiePath     string
        CookieHttpOnly bool
        // Key used for getting the unique ID per user.
        SessionKey string
@@ -187,6 +191,7 @@ func Generate(options ...Options) macaron.Handler {
                        Header:         opt.Header,
                        Form:           opt.Form,
                        Cookie:         opt.Cookie,
+                       CookieDomain:   opt.CookieDomain,
                        CookiePath:     opt.CookiePath,
                        CookieHttpOnly: opt.CookieHttpOnly,
                        ErrorFunc:      opt.ErrorFunc,
@@ -222,7 +227,7 @@ func Generate(options ...Options) macaron.Handler {
                        // FIXME: actionId.
                        x.Token = GenerateToken(x.Secret, x.ID, "POST")
                        if opt.SetCookie {
-                               ctx.SetCookie(opt.Cookie, x.Token, 0, opt.CookiePath, "", opt.Secure, opt.CookieHttpOnly, time.Now().AddDate(0, 0, 1))
+                               ctx.SetCookie(opt.Cookie, x.Token, 0, opt.CookiePath, opt.CookieDomain, opt.Secure, opt.CookieHttpOnly, time.Now().AddDate(0, 0, 1))
                        }
                }
 

diff --git a/vendor/github.com/go-macaron/csrf/xsrf.go b/vendor/github.com/go-macaron/csrf/xsrf.go
index 81ed5d0fc5803a3f7857bc30dfe516a19f9f79a2..7f31894f9500b7e69b7a54fbbdbbfa7bb6ae927d 100644 (file)
--- a/vendor/github.com/go-macaron/csrf/xsrf.go
+++ b/vendor/github.com/go-macaron/csrf/xsrf.go
@@ -50,7 +50,7 @@ func generateTokenAtTime(key, userID, actionID string, now time.Time) string {
        h := hmac.New(sha1.New, []byte(key))
        fmt.Fprintf(h, "%s:%s:%d", clean(userID), clean(actionID), now.UnixNano())
        tok := fmt.Sprintf("%s:%d", h.Sum(nil), now.UnixNano())
-       return base64.URLEncoding.EncodeToString([]byte(tok))
+       return base64.RawURLEncoding.EncodeToString([]byte(tok))
 }
 
 // Valid returns true if token is a valid, unexpired token returned by Generate.
@@ -61,7 +61,7 @@ func ValidToken(token, key, userID, actionID string) bool {
 // validTokenAtTime is like Valid, but it uses now to check if the token is expired.
 func validTokenAtTime(token, key, userID, actionID string, now time.Time) bool {
        // Decode the token.
-       data, err := base64.URLEncoding.DecodeString(token)
+       data, err := base64.RawURLEncoding.DecodeString(token)
        if err != nil {
                return false
        }

diff --git a/vendor/github.com/go-macaron/i18n/.travis.yml b/vendor/github.com/go-macaron/i18n/.travis.yml
index 2774fb35d50bb836bb80aa1f120e7cf3d0c97bfd..f331c2c84ab3e46673742dc8776603dc372f11fb 100644 (file)
--- a/vendor/github.com/go-macaron/i18n/.travis.yml
+++ b/vendor/github.com/go-macaron/i18n/.travis.yml
@@ -1,14 +1,11 @@
 sudo: false
 language: go
-
 go:
-  - 1.3
-  - 1.4
-  - 1.5
-  - tip
+  - 1.6.x
+  - 1.7.x
+  - 1.8.x
+  - 1.9.x
+  - 1.10.x
+  - 1.11.x
 
 script: go test -v -cover -race
-
-notifications:
-  email:
-    - u@gogs.io

diff --git a/vendor/github.com/go-macaron/i18n/i18n.go b/vendor/github.com/go-macaron/i18n/i18n.go
index 3b5b1b834d8ed381e2ed2d89c0af46305f1783e0..4f386a0bbdbd6d9b786028010bde27f272dfb8e9 100644 (file)
--- a/vendor/github.com/go-macaron/i18n/i18n.go
+++ b/vendor/github.com/go-macaron/i18n/i18n.go
@@ -26,7 +26,7 @@ import (
        "gopkg.in/macaron.v1"
 )
 
-const _VERSION = "0.3.0"
+const _VERSION = "0.4.0"
 
 func Version() string {
        return _VERSION
@@ -96,6 +96,8 @@ type Options struct {
        TmplName string
        // Configuration section name. Default is "i18n".
        Section string
+       // Domain used for `lang` cookie. Default is ""
+       CookieDomain string
 }
 
 func prepareOptions(options []Options) Options {
@@ -193,7 +195,7 @@ func I18n(options ...Options) macaron.Handler {
 
                // Save language information in cookies.
                if !hasCookie {
-                       ctx.SetCookie("lang", curLang.Lang, 1<<31-1, "/"+strings.TrimPrefix(opt.SubURL, "/"))
+                       ctx.SetCookie("lang", curLang.Lang, 1<<31-1, "/"+strings.TrimPrefix(opt.SubURL, "/"), opt.CookieDomain)
                }
 
                restLangs := make([]LangType, 0, i18n.Count()-1)

diff --git a/vendor/modules.txt b/vendor/modules.txt
index 0e9d3c316394529d74b06c3697c63ead9cccf9f3..567ace18770c64228163fe97710b52ff82a37bad 100644 (file)
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -128,9 +128,9 @@ github.com/go-macaron/cache/redis
 github.com/go-macaron/captcha
 # github.com/go-macaron/cors v0.0.0-20190309005821-6fd6a9bfe14e9
 github.com/go-macaron/cors
-# github.com/go-macaron/csrf v0.0.0-20180426211211-503617c6b372
+# github.com/go-macaron/csrf v0.0.0-20190131233648-3751b136073c
 github.com/go-macaron/csrf
-# github.com/go-macaron/i18n v0.0.0-20160612092837-ef57533c3b0f
+# github.com/go-macaron/i18n v0.0.0-20190131234336-56731837a73b
 github.com/go-macaron/i18n
 # github.com/go-macaron/inject v0.0.0-20160627170012-d8a0b8677191
 github.com/go-macaron/inject