From 591aea717b9ac4735cc18ec2a2ecdd2b4038c395 Mon Sep 17 00:00:00 2001 From: efim Date: Mon, 9 Oct 2023 04:50:33 +0000 Subject: [PATCH] fix: setting Secure behind nginx bug was due to having explicit 'serve --http=address' when running behind nginx on NixOS server So either a more complicated check was required, or just setting Secure=true unconditionally. This seems to be a better way, because Firefox already allows secure cookies beng sent and received from localhost for dev purposes, and Chromium does too --- auth-notes.org | 25 +++++++++++++++++++++++++ main.go | 13 ++++--------- middleware/auth.go | 15 ++++++--------- 3 files changed, 35 insertions(+), 18 deletions(-) diff --git a/auth-notes.org b/auth-notes.org index 522ed23..6d34e09 100644 --- a/auth-notes.org +++ b/auth-notes.org @@ -214,6 +214,31 @@ this is all that's needed to enable tls mind blown ** DONE somehow set cookie to httpOnly & secure with ability to disable for development session +*** a complication +since i'm under the nginx, i can't just match on the serving address : +#+begin_src +[efim@franzk:~]$ systemctl status pb-auth-example-app.service +● pb-auth-example-app.service - Exercise app auth-pocketbase-attempt + Loaded: loaded (/etc/systemd/system/pb-auth-example-app.service; enabled; preset: enabled) + Active: active (running) since Mon 2023-10-09 04:29:20 UTC; 1min 17s ago + Main PID: 411857 (auth-pocketbase) + Tasks: 13 (limit: 629145) + Memory: 28.3M + CPU: 148ms + CGroup: /system.slice/pb-auth-example-app.service + └─411857 /nix/store/czq95bjhwszasncp8f04d9yn4m0xf4kw-auth-pocketbase-attempt-0.0.1/bin/auth-pocketbase-attempt serve --http 127.0.0.1:45001 --dir=/home/pb-auth-example-app-user + +Oct 09 04:29:20 franzk systemd[1]: Started Exercise app auth-pocketbase-attempt. +Oct 09 04:29:20 franzk auth-pocketbase-attempt[411857]: 2023/10/09 04:29:20 Warning: starting server with cookie Secure = false! +Oct 09 04:29:20 franzk auth-pocketbase-attempt[411857]: 2023/10/09 04:29:20 Server started at http://127.0.0.1:45001 +Oct 09 04:29:20 franzk auth-pocketbase-attempt[411857]: ├─ REST API: http://127.0.0.1:45001/api/ +Oct 09 04:29:20 franzk auth-pocketbase-attempt[411857]: └─ Admin UI: http://127.0.0.1:45001/_/ +#+end_src +*** so, custom arg is required, hello +https://github.com/pocketbase/pocketbase/discussions/1900 +*** holy cow, Firefox and later Chrome will accept Secure cookie on localhost +https://stackoverflow.com/questions/62307431/firefox-sends-secure-cookies-to-localhost + ** TODO maybe add middleware so that 401 would be a page, and not json ** TODO get icons for the auth providers. surely they are accessible from the pocketbase itself? diff --git a/main.go b/main.go index 3549130..a63b24f 100644 --- a/main.go +++ b/main.go @@ -2,8 +2,6 @@ package main import ( "log" - "strings" - "github.com/pocketbase/pocketbase" "sunshine.industries/auth-pocketbase-attempt/middleware" "sunshine.industries/auth-pocketbase-attempt/pages" @@ -12,13 +10,10 @@ import ( func main() { app := pocketbase.New() - servedName := app.Settings().Meta.AppUrl - isTlsEnabled := strings.HasPrefix(servedName, "https://") - - middleware.AddCookieSessionMiddleware(app, isTlsEnabled) + middleware.AddCookieSessionMiddleware(app) pages.AddPageRoutes(app) - if err := app.Start(); err != nil { - log.Fatal(err) - } + if err := app.Start(); err != nil { + log.Fatal(err) + } } diff --git a/middleware/auth.go b/middleware/auth.go index 234e6a9..1fef930 100644 --- a/middleware/auth.go +++ b/middleware/auth.go @@ -1,7 +1,6 @@ package middleware import ( - "log" "net/http" "github.com/labstack/echo/v5" @@ -15,9 +14,7 @@ import ( const AuthCookieName = "Auth" -func AddCookieSessionMiddleware(app *pocketbase.PocketBase, isTlsEnabled bool) { - log.Println("Warning: starting server with cookie Secure = false!") - +func AddCookieSessionMiddleware(app *pocketbase.PocketBase) { app.OnBeforeServe().Add(func(e *core.ServeEvent) error { e.Router.Use(loadAuthContextFromCookie(app)) return nil @@ -29,7 +26,7 @@ func AddCookieSessionMiddleware(app *pocketbase.PocketBase, isTlsEnabled bool) { Name: AuthCookieName, Value: e.Token, Path: "/", - Secure: isTlsEnabled, + Secure: true, HttpOnly: true, }) e.HttpContext.SetCookie(&http.Cookie{ @@ -43,12 +40,12 @@ func AddCookieSessionMiddleware(app *pocketbase.PocketBase, isTlsEnabled bool) { Name: AuthCookieName, Value: e.Token, Path: "/", - Secure: isTlsEnabled, + Secure: true, HttpOnly: true, }) return nil }) - app.OnBeforeServe().Add(getLogoutRoute(app, isTlsEnabled)) + app.OnBeforeServe().Add(getLogoutRoute(app)) } func loadAuthContextFromCookie(app core.App) echo.MiddlewareFunc { @@ -92,7 +89,7 @@ func loadAuthContextFromCookie(app core.App) echo.MiddlewareFunc { } // render and return login page with configured oauth providers -func getLogoutRoute(app *pocketbase.PocketBase, isTlsEnabled bool) func(*core.ServeEvent) error { +func getLogoutRoute(app *pocketbase.PocketBase) func(*core.ServeEvent) error { return func (e *core.ServeEvent) error { e.Router.GET("/logout", func(c echo.Context) error { c.SetCookie(&http.Cookie{ @@ -100,7 +97,7 @@ func getLogoutRoute(app *pocketbase.PocketBase, isTlsEnabled bool) func(*core.S Value: "", Path: "/", MaxAge: -1, - Secure: isTlsEnabled, + Secure: true, HttpOnly: true, }) c.Response().Header().Add("HX-Trigger", "auth-change-event")