Add SameSite setting for cookies (#14900)
Add SameSite setting for cookies and rationalise the cookie setting code. Switches SameSite to Lax by default. There is a possible future extension of differentiating which cookies could be set at Strict by default but that is for a future PR. Fix #5583 Signed-off-by: Andrew Thornton <art27@cantab.net>
This commit is contained in:
parent
beed5476e2
commit
9b261f52f0
14 changed files with 184 additions and 45 deletions
|
@ -794,6 +794,8 @@ COOKIE_SECURE = false
|
||||||
GC_INTERVAL_TIME = 86400
|
GC_INTERVAL_TIME = 86400
|
||||||
; Session life time in seconds, default is 86400 (1 day)
|
; Session life time in seconds, default is 86400 (1 day)
|
||||||
SESSION_LIFE_TIME = 86400
|
SESSION_LIFE_TIME = 86400
|
||||||
|
; SameSite settings. Either "none", "lax", or "strict"
|
||||||
|
SAME_SITE=lax
|
||||||
|
|
||||||
[picture]
|
[picture]
|
||||||
AVATAR_UPLOAD_PATH = data/avatars
|
AVATAR_UPLOAD_PATH = data/avatars
|
||||||
|
|
|
@ -557,6 +557,8 @@ Define allowed algorithms and their minimum key length (use -1 to disable a type
|
||||||
- `COOKIE_NAME`: **i\_like\_gitea**: The name of the cookie used for the session ID.
|
- `COOKIE_NAME`: **i\_like\_gitea**: The name of the cookie used for the session ID.
|
||||||
- `GC_INTERVAL_TIME`: **86400**: GC interval in seconds.
|
- `GC_INTERVAL_TIME`: **86400**: GC interval in seconds.
|
||||||
- `SESSION_LIFE_TIME`: **86400**: Session life time in seconds, default is 86400 (1 day)
|
- `SESSION_LIFE_TIME`: **86400**: Session life time in seconds, default is 86400 (1 day)
|
||||||
|
- `DOMAIN`: **\<empty\>**: Sets the cookie Domain
|
||||||
|
- `SAME_SITE`: **lax** \[strict, lax, none\]: Set the SameSite setting for the cookie.
|
||||||
|
|
||||||
## Picture (`picture`)
|
## Picture (`picture`)
|
||||||
|
|
||||||
|
|
|
@ -13,7 +13,6 @@ import (
|
||||||
|
|
||||||
"code.gitea.io/gitea/models"
|
"code.gitea.io/gitea/models"
|
||||||
"code.gitea.io/gitea/modules/log"
|
"code.gitea.io/gitea/modules/log"
|
||||||
"code.gitea.io/gitea/modules/setting"
|
|
||||||
"code.gitea.io/gitea/modules/web/middleware"
|
"code.gitea.io/gitea/modules/web/middleware"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -129,8 +128,8 @@ func handleSignIn(resp http.ResponseWriter, req *http.Request, sess SessionStore
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
middleware.SetCookie(resp, "lang", user.Language, nil, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true)
|
middleware.SetLocaleCookie(resp, user.Language, 0)
|
||||||
|
|
||||||
// Clear whatever CSRF has right now, force to generate a new one
|
// Clear whatever CSRF has right now, force to generate a new one
|
||||||
middleware.SetCookie(resp, setting.CSRFCookieName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true)
|
middleware.DeleteCSRFCookie(resp)
|
||||||
}
|
}
|
||||||
|
|
|
@ -9,6 +9,7 @@ import (
|
||||||
"code.gitea.io/gitea/models"
|
"code.gitea.io/gitea/models"
|
||||||
"code.gitea.io/gitea/modules/log"
|
"code.gitea.io/gitea/modules/log"
|
||||||
"code.gitea.io/gitea/modules/setting"
|
"code.gitea.io/gitea/modules/setting"
|
||||||
|
"code.gitea.io/gitea/modules/web/middleware"
|
||||||
)
|
)
|
||||||
|
|
||||||
// ToggleOptions contains required or check options
|
// ToggleOptions contains required or check options
|
||||||
|
@ -41,7 +42,7 @@ func Toggle(options *ToggleOptions) func(ctx *Context) {
|
||||||
ctx.Data["Title"] = ctx.Tr("auth.must_change_password")
|
ctx.Data["Title"] = ctx.Tr("auth.must_change_password")
|
||||||
ctx.Data["ChangePasscodeLink"] = setting.AppSubURL + "/user/change_password"
|
ctx.Data["ChangePasscodeLink"] = setting.AppSubURL + "/user/change_password"
|
||||||
if ctx.Req.URL.Path != "/user/events" {
|
if ctx.Req.URL.Path != "/user/events" {
|
||||||
ctx.SetCookie("redirect_to", setting.AppSubURL+ctx.Req.URL.RequestURI(), 0, setting.AppSubURL)
|
middleware.SetRedirectToCookie(ctx.Resp, setting.AppSubURL+ctx.Req.URL.RequestURI())
|
||||||
}
|
}
|
||||||
ctx.Redirect(setting.AppSubURL + "/user/settings/change_password")
|
ctx.Redirect(setting.AppSubURL + "/user/settings/change_password")
|
||||||
return
|
return
|
||||||
|
@ -69,7 +70,7 @@ func Toggle(options *ToggleOptions) func(ctx *Context) {
|
||||||
if options.SignInRequired {
|
if options.SignInRequired {
|
||||||
if !ctx.IsSigned {
|
if !ctx.IsSigned {
|
||||||
if ctx.Req.URL.Path != "/user/events" {
|
if ctx.Req.URL.Path != "/user/events" {
|
||||||
ctx.SetCookie("redirect_to", setting.AppSubURL+ctx.Req.URL.RequestURI(), 0, setting.AppSubURL)
|
middleware.SetRedirectToCookie(ctx.Resp, setting.AppSubURL+ctx.Req.URL.RequestURI())
|
||||||
}
|
}
|
||||||
ctx.Redirect(setting.AppSubURL + "/user/login")
|
ctx.Redirect(setting.AppSubURL + "/user/login")
|
||||||
return
|
return
|
||||||
|
@ -84,7 +85,7 @@ func Toggle(options *ToggleOptions) func(ctx *Context) {
|
||||||
if !options.SignOutRequired && !ctx.IsSigned &&
|
if !options.SignOutRequired && !ctx.IsSigned &&
|
||||||
len(ctx.GetCookie(setting.CookieUserName)) > 0 {
|
len(ctx.GetCookie(setting.CookieUserName)) > 0 {
|
||||||
if ctx.Req.URL.Path != "/user/events" {
|
if ctx.Req.URL.Path != "/user/events" {
|
||||||
ctx.SetCookie("redirect_to", setting.AppSubURL+ctx.Req.URL.RequestURI(), 0, setting.AppSubURL)
|
middleware.SetRedirectToCookie(ctx.Resp, setting.AppSubURL+ctx.Req.URL.RequestURI())
|
||||||
}
|
}
|
||||||
ctx.Redirect(setting.AppSubURL + "/user/login")
|
ctx.Redirect(setting.AppSubURL + "/user/login")
|
||||||
return
|
return
|
||||||
|
|
|
@ -386,9 +386,28 @@ func (ctx *Context) Redirect(location string, status ...int) {
|
||||||
http.Redirect(ctx.Resp, ctx.Req, location, code)
|
http.Redirect(ctx.Resp, ctx.Req, location, code)
|
||||||
}
|
}
|
||||||
|
|
||||||
// SetCookie set cookies to web browser
|
// SetCookie convenience function to set most cookies consistently
|
||||||
func (ctx *Context) SetCookie(name string, value string, others ...interface{}) {
|
// CSRF and a few others are the exception here
|
||||||
middleware.SetCookie(ctx.Resp, name, value, others...)
|
func (ctx *Context) SetCookie(name, value string, expiry int) {
|
||||||
|
middleware.SetCookie(ctx.Resp, name, value,
|
||||||
|
expiry,
|
||||||
|
setting.AppSubURL,
|
||||||
|
setting.SessionConfig.Domain,
|
||||||
|
setting.SessionConfig.Secure,
|
||||||
|
true,
|
||||||
|
middleware.SameSite(setting.SessionConfig.SameSite))
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeleteCookie convenience function to delete most cookies consistently
|
||||||
|
// CSRF and a few others are the exception here
|
||||||
|
func (ctx *Context) DeleteCookie(name string) {
|
||||||
|
middleware.SetCookie(ctx.Resp, name, "",
|
||||||
|
-1,
|
||||||
|
setting.AppSubURL,
|
||||||
|
setting.SessionConfig.Domain,
|
||||||
|
setting.SessionConfig.Secure,
|
||||||
|
true,
|
||||||
|
middleware.SameSite(setting.SessionConfig.SameSite))
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetCookie returns given cookie value from request header.
|
// GetCookie returns given cookie value from request header.
|
||||||
|
@ -399,6 +418,11 @@ func (ctx *Context) GetCookie(name string) string {
|
||||||
// GetSuperSecureCookie returns given cookie value from request header with secret string.
|
// GetSuperSecureCookie returns given cookie value from request header with secret string.
|
||||||
func (ctx *Context) GetSuperSecureCookie(secret, name string) (string, bool) {
|
func (ctx *Context) GetSuperSecureCookie(secret, name string) (string, bool) {
|
||||||
val := ctx.GetCookie(name)
|
val := ctx.GetCookie(name)
|
||||||
|
return ctx.CookieDecrypt(secret, val)
|
||||||
|
}
|
||||||
|
|
||||||
|
// CookieDecrypt returns given value from with secret string.
|
||||||
|
func (ctx *Context) CookieDecrypt(secret, val string) (string, bool) {
|
||||||
if val == "" {
|
if val == "" {
|
||||||
return "", false
|
return "", false
|
||||||
}
|
}
|
||||||
|
@ -414,14 +438,21 @@ func (ctx *Context) GetSuperSecureCookie(secret, name string) (string, bool) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// SetSuperSecureCookie sets given cookie value to response header with secret string.
|
// SetSuperSecureCookie sets given cookie value to response header with secret string.
|
||||||
func (ctx *Context) SetSuperSecureCookie(secret, name, value string, others ...interface{}) {
|
func (ctx *Context) SetSuperSecureCookie(secret, name, value string, expiry int) {
|
||||||
|
text := ctx.CookieEncrypt(secret, value)
|
||||||
|
|
||||||
|
ctx.SetCookie(name, text, expiry)
|
||||||
|
}
|
||||||
|
|
||||||
|
// CookieEncrypt encrypts a given value using the provided secret
|
||||||
|
func (ctx *Context) CookieEncrypt(secret, value string) string {
|
||||||
key := pbkdf2.Key([]byte(secret), []byte(secret), 1000, 16, sha256.New)
|
key := pbkdf2.Key([]byte(secret), []byte(secret), 1000, 16, sha256.New)
|
||||||
text, err := com.AESGCMEncrypt(key, []byte(value))
|
text, err := com.AESGCMEncrypt(key, []byte(value))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
panic("error encrypting cookie: " + err.Error())
|
panic("error encrypting cookie: " + err.Error())
|
||||||
}
|
}
|
||||||
|
|
||||||
ctx.SetCookie(name, hex.EncodeToString(text), others...)
|
return hex.EncodeToString(text)
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetCookieInt returns cookie result in int type.
|
// GetCookieInt returns cookie result in int type.
|
||||||
|
@ -533,6 +564,7 @@ func getCsrfOpts() CsrfOptions {
|
||||||
Header: "X-Csrf-Token",
|
Header: "X-Csrf-Token",
|
||||||
CookieDomain: setting.SessionConfig.Domain,
|
CookieDomain: setting.SessionConfig.Domain,
|
||||||
CookiePath: setting.SessionConfig.CookiePath,
|
CookiePath: setting.SessionConfig.CookiePath,
|
||||||
|
SameSite: setting.SessionConfig.SameSite,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -597,17 +629,17 @@ func Contexter() func(next http.Handler) http.Handler {
|
||||||
middleware.Domain(setting.SessionConfig.Domain),
|
middleware.Domain(setting.SessionConfig.Domain),
|
||||||
middleware.HTTPOnly(true),
|
middleware.HTTPOnly(true),
|
||||||
middleware.Secure(setting.SessionConfig.Secure),
|
middleware.Secure(setting.SessionConfig.Secure),
|
||||||
//middlewares.SameSite(opt.SameSite), FIXME: we need a samesite config
|
middleware.SameSite(setting.SessionConfig.SameSite),
|
||||||
)
|
)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
ctx.SetCookie("macaron_flash", "", -1,
|
middleware.SetCookie(ctx.Resp, "macaron_flash", "", -1,
|
||||||
setting.SessionConfig.CookiePath,
|
setting.SessionConfig.CookiePath,
|
||||||
middleware.Domain(setting.SessionConfig.Domain),
|
middleware.Domain(setting.SessionConfig.Domain),
|
||||||
middleware.HTTPOnly(true),
|
middleware.HTTPOnly(true),
|
||||||
middleware.Secure(setting.SessionConfig.Secure),
|
middleware.Secure(setting.SessionConfig.Secure),
|
||||||
//middleware.SameSite(), FIXME: we need a samesite config
|
middleware.SameSite(setting.SessionConfig.SameSite),
|
||||||
)
|
)
|
||||||
})
|
})
|
||||||
|
|
||||||
|
|
|
@ -22,6 +22,8 @@ import (
|
||||||
"net/http"
|
"net/http"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
"code.gitea.io/gitea/modules/web/middleware"
|
||||||
|
|
||||||
"github.com/unknwon/com"
|
"github.com/unknwon/com"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -37,6 +39,8 @@ type CSRF interface {
|
||||||
GetCookiePath() string
|
GetCookiePath() string
|
||||||
// Return the flag value used for the csrf token.
|
// Return the flag value used for the csrf token.
|
||||||
GetCookieHTTPOnly() bool
|
GetCookieHTTPOnly() bool
|
||||||
|
// Return cookie domain
|
||||||
|
GetCookieDomain() string
|
||||||
// Return the token.
|
// Return the token.
|
||||||
GetToken() string
|
GetToken() string
|
||||||
// Validate by token.
|
// Validate by token.
|
||||||
|
@ -93,6 +97,11 @@ func (c *csrf) GetCookieHTTPOnly() bool {
|
||||||
return c.CookieHTTPOnly
|
return c.CookieHTTPOnly
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// GetCookieDomain returns the flag value used for the csrf token.
|
||||||
|
func (c *csrf) GetCookieDomain() string {
|
||||||
|
return c.CookieDomain
|
||||||
|
}
|
||||||
|
|
||||||
// GetToken returns the current token. This is typically used
|
// GetToken returns the current token. This is typically used
|
||||||
// to populate a hidden form in an HTML template.
|
// to populate a hidden form in an HTML template.
|
||||||
func (c *csrf) GetToken() string {
|
func (c *csrf) GetToken() string {
|
||||||
|
@ -227,10 +236,14 @@ func Csrfer(opt CsrfOptions, ctx *Context) CSRF {
|
||||||
if opt.CookieLifeTime == 0 {
|
if opt.CookieLifeTime == 0 {
|
||||||
expires = time.Now().AddDate(0, 0, 1)
|
expires = time.Now().AddDate(0, 0, 1)
|
||||||
}
|
}
|
||||||
ctx.SetCookie(opt.Cookie, x.Token, opt.CookieLifeTime, opt.CookiePath, opt.CookieDomain, opt.Secure, opt.CookieHTTPOnly, expires,
|
middleware.SetCookie(ctx.Resp, opt.Cookie, x.Token,
|
||||||
func(c *http.Cookie) {
|
opt.CookieLifeTime,
|
||||||
c.SameSite = opt.SameSite
|
opt.CookiePath,
|
||||||
},
|
opt.CookieDomain,
|
||||||
|
opt.Secure,
|
||||||
|
opt.CookieHTTPOnly,
|
||||||
|
expires,
|
||||||
|
middleware.SameSite(opt.SameSite),
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -248,14 +261,22 @@ func Csrfer(opt CsrfOptions, ctx *Context) CSRF {
|
||||||
func Validate(ctx *Context, x CSRF) {
|
func Validate(ctx *Context, x CSRF) {
|
||||||
if token := ctx.Req.Header.Get(x.GetHeaderName()); len(token) > 0 {
|
if token := ctx.Req.Header.Get(x.GetHeaderName()); len(token) > 0 {
|
||||||
if !x.ValidToken(token) {
|
if !x.ValidToken(token) {
|
||||||
ctx.SetCookie(x.GetCookieName(), "", -1, x.GetCookiePath())
|
// Delete the cookie
|
||||||
|
middleware.SetCookie(ctx.Resp, x.GetCookieName(), "",
|
||||||
|
-1,
|
||||||
|
x.GetCookiePath(),
|
||||||
|
x.GetCookieDomain()) // FIXME: Do we need to set the Secure, httpOnly and SameSite values too?
|
||||||
x.Error(ctx.Resp)
|
x.Error(ctx.Resp)
|
||||||
}
|
}
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
if token := ctx.Req.FormValue(x.GetFormName()); len(token) > 0 {
|
if token := ctx.Req.FormValue(x.GetFormName()); len(token) > 0 {
|
||||||
if !x.ValidToken(token) {
|
if !x.ValidToken(token) {
|
||||||
ctx.SetCookie(x.GetCookieName(), "", -1, x.GetCookiePath())
|
// Delete the cookie
|
||||||
|
middleware.SetCookie(ctx.Resp, x.GetCookieName(), "",
|
||||||
|
-1,
|
||||||
|
x.GetCookiePath(),
|
||||||
|
x.GetCookieDomain()) // FIXME: Do we need to set the Secure, httpOnly and SameSite values too?
|
||||||
x.Error(ctx.Resp)
|
x.Error(ctx.Resp)
|
||||||
}
|
}
|
||||||
return
|
return
|
||||||
|
|
|
@ -5,6 +5,7 @@
|
||||||
package setting
|
package setting
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"net/http"
|
||||||
"path"
|
"path"
|
||||||
"path/filepath"
|
"path/filepath"
|
||||||
"strings"
|
"strings"
|
||||||
|
@ -31,10 +32,13 @@ var (
|
||||||
Secure bool
|
Secure bool
|
||||||
// Cookie domain name. Default is empty.
|
// Cookie domain name. Default is empty.
|
||||||
Domain string
|
Domain string
|
||||||
|
// SameSite declares if your cookie should be restricted to a first-party or same-site context. Valid strings are "none", "lax", "strict". Default is "lax"
|
||||||
|
SameSite http.SameSite
|
||||||
}{
|
}{
|
||||||
CookieName: "i_like_gitea",
|
CookieName: "i_like_gitea",
|
||||||
Gclifetime: 86400,
|
Gclifetime: 86400,
|
||||||
Maxlifetime: 86400,
|
Maxlifetime: 86400,
|
||||||
|
SameSite: http.SameSiteLaxMode,
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -52,6 +56,15 @@ func newSessionService() {
|
||||||
SessionConfig.Gclifetime = sec.Key("GC_INTERVAL_TIME").MustInt64(86400)
|
SessionConfig.Gclifetime = sec.Key("GC_INTERVAL_TIME").MustInt64(86400)
|
||||||
SessionConfig.Maxlifetime = sec.Key("SESSION_LIFE_TIME").MustInt64(86400)
|
SessionConfig.Maxlifetime = sec.Key("SESSION_LIFE_TIME").MustInt64(86400)
|
||||||
SessionConfig.Domain = sec.Key("DOMAIN").String()
|
SessionConfig.Domain = sec.Key("DOMAIN").String()
|
||||||
|
samesiteString := sec.Key("SAME_SITE").In("lax", []string{"none", "lax", "strict"})
|
||||||
|
switch strings.ToLower(samesiteString) {
|
||||||
|
case "none":
|
||||||
|
SessionConfig.SameSite = http.SameSiteNoneMode
|
||||||
|
case "strict":
|
||||||
|
SessionConfig.SameSite = http.SameSiteStrictMode
|
||||||
|
default:
|
||||||
|
SessionConfig.SameSite = http.SameSiteLaxMode
|
||||||
|
}
|
||||||
|
|
||||||
json := jsoniter.ConfigCompatibleWithStandardLibrary
|
json := jsoniter.ConfigCompatibleWithStandardLibrary
|
||||||
shadowConfig, err := json.Marshal(SessionConfig)
|
shadowConfig, err := json.Marshal(SessionConfig)
|
||||||
|
|
|
@ -76,6 +76,47 @@ func NewCookie(name, value string, maxAge int) *http.Cookie {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// SetRedirectToCookie convenience function to set the RedirectTo cookie consistently
|
||||||
|
func SetRedirectToCookie(resp http.ResponseWriter, value string) {
|
||||||
|
SetCookie(resp, "redirect_to", value,
|
||||||
|
0,
|
||||||
|
setting.AppSubURL,
|
||||||
|
"",
|
||||||
|
setting.SessionConfig.Secure,
|
||||||
|
true,
|
||||||
|
SameSite(setting.SessionConfig.SameSite))
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeleteRedirectToCookie convenience function to delete most cookies consistently
|
||||||
|
func DeleteRedirectToCookie(resp http.ResponseWriter) {
|
||||||
|
SetCookie(resp, "redirect_to", "",
|
||||||
|
-1,
|
||||||
|
setting.AppSubURL,
|
||||||
|
"",
|
||||||
|
setting.SessionConfig.Secure,
|
||||||
|
true,
|
||||||
|
SameSite(setting.SessionConfig.SameSite))
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeleteSesionConfigPathCookie convenience function to delete SessionConfigPath cookies consistently
|
||||||
|
func DeleteSesionConfigPathCookie(resp http.ResponseWriter, name string) {
|
||||||
|
SetCookie(resp, name, "",
|
||||||
|
-1,
|
||||||
|
setting.SessionConfig.CookiePath,
|
||||||
|
setting.SessionConfig.Domain,
|
||||||
|
setting.SessionConfig.Secure,
|
||||||
|
true,
|
||||||
|
SameSite(setting.SessionConfig.SameSite))
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeleteCSRFCookie convenience function to delete SessionConfigPath cookies consistently
|
||||||
|
func DeleteCSRFCookie(resp http.ResponseWriter) {
|
||||||
|
SetCookie(resp, setting.CSRFCookieName, "",
|
||||||
|
-1,
|
||||||
|
setting.SessionConfig.CookiePath,
|
||||||
|
setting.SessionConfig.Domain) // FIXME: Do we need to set the Secure, httpOnly and SameSite values too?
|
||||||
|
}
|
||||||
|
|
||||||
// SetCookie set the cookies
|
// SetCookie set the cookies
|
||||||
// TODO: Copied from gitea.com/macaron/macaron and should be improved after macaron removed.
|
// TODO: Copied from gitea.com/macaron/macaron and should be improved after macaron removed.
|
||||||
func SetCookie(resp http.ResponseWriter, name string, value string, others ...interface{}) {
|
func SetCookie(resp http.ResponseWriter, name string, value string, others ...interface{}) {
|
||||||
|
|
|
@ -7,6 +7,7 @@ package middleware
|
||||||
import (
|
import (
|
||||||
"net/http"
|
"net/http"
|
||||||
|
|
||||||
|
"code.gitea.io/gitea/modules/setting"
|
||||||
"code.gitea.io/gitea/modules/translation"
|
"code.gitea.io/gitea/modules/translation"
|
||||||
|
|
||||||
"github.com/unknwon/i18n"
|
"github.com/unknwon/i18n"
|
||||||
|
@ -42,8 +43,30 @@ func Locale(resp http.ResponseWriter, req *http.Request) translation.Locale {
|
||||||
}
|
}
|
||||||
|
|
||||||
if changeLang {
|
if changeLang {
|
||||||
SetCookie(resp, "lang", lang, 1<<31-1)
|
SetLocaleCookie(resp, lang, 1<<31-1)
|
||||||
}
|
}
|
||||||
|
|
||||||
return translation.NewLocale(lang)
|
return translation.NewLocale(lang)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// SetLocaleCookie convenience function to set the locale cookie consistently
|
||||||
|
func SetLocaleCookie(resp http.ResponseWriter, lang string, expiry int) {
|
||||||
|
SetCookie(resp, "lang", lang, expiry,
|
||||||
|
setting.AppSubURL,
|
||||||
|
setting.SessionConfig.Domain,
|
||||||
|
setting.SessionConfig.Secure,
|
||||||
|
true,
|
||||||
|
SameSite(setting.SessionConfig.SameSite))
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeleteLocaleCookie convenience function to delete the locale cookie consistently
|
||||||
|
// Setting the lang cookie will trigger the middleware to reset the language ot previous state.
|
||||||
|
func DeleteLocaleCookie(resp http.ResponseWriter) {
|
||||||
|
SetCookie(resp, "lang", "",
|
||||||
|
-1,
|
||||||
|
setting.AppSubURL,
|
||||||
|
setting.SessionConfig.Domain,
|
||||||
|
setting.SessionConfig.Secure,
|
||||||
|
true,
|
||||||
|
SameSite(setting.SessionConfig.SameSite))
|
||||||
|
}
|
||||||
|
|
|
@ -17,6 +17,7 @@ import (
|
||||||
"code.gitea.io/gitea/modules/setting"
|
"code.gitea.io/gitea/modules/setting"
|
||||||
"code.gitea.io/gitea/modules/structs"
|
"code.gitea.io/gitea/modules/structs"
|
||||||
"code.gitea.io/gitea/modules/util"
|
"code.gitea.io/gitea/modules/util"
|
||||||
|
"code.gitea.io/gitea/modules/web/middleware"
|
||||||
"code.gitea.io/gitea/routers/user"
|
"code.gitea.io/gitea/routers/user"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -46,7 +47,7 @@ func Home(ctx *context.Context) {
|
||||||
} else if ctx.User.MustChangePassword {
|
} else if ctx.User.MustChangePassword {
|
||||||
ctx.Data["Title"] = ctx.Tr("auth.must_change_password")
|
ctx.Data["Title"] = ctx.Tr("auth.must_change_password")
|
||||||
ctx.Data["ChangePasscodeLink"] = setting.AppSubURL + "/user/change_password"
|
ctx.Data["ChangePasscodeLink"] = setting.AppSubURL + "/user/change_password"
|
||||||
ctx.SetCookie("redirect_to", setting.AppSubURL+ctx.Req.URL.RequestURI(), 0, setting.AppSubURL)
|
middleware.SetRedirectToCookie(ctx.Resp, setting.AppSubURL+ctx.Req.URL.RequestURI())
|
||||||
ctx.Redirect(setting.AppSubURL + "/user/settings/change_password")
|
ctx.Redirect(setting.AppSubURL + "/user/settings/change_password")
|
||||||
} else {
|
} else {
|
||||||
user.Dashboard(ctx)
|
user.Dashboard(ctx)
|
||||||
|
|
|
@ -424,9 +424,10 @@ func InstallPost(ctx *context.Context) {
|
||||||
}
|
}
|
||||||
|
|
||||||
days := 86400 * setting.LogInRememberDays
|
days := 86400 * setting.LogInRememberDays
|
||||||
ctx.SetCookie(setting.CookieUserName, u.Name, days, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true)
|
ctx.SetCookie(setting.CookieUserName, u.Name, days)
|
||||||
|
|
||||||
ctx.SetSuperSecureCookie(base.EncodeMD5(u.Rands+u.Passwd),
|
ctx.SetSuperSecureCookie(base.EncodeMD5(u.Rands+u.Passwd),
|
||||||
setting.CookieRememberName, u.Name, days, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true)
|
setting.CookieRememberName, u.Name, days)
|
||||||
|
|
||||||
// Auto-login for admin
|
// Auto-login for admin
|
||||||
if err = ctx.Session.Set("uid", u.ID); err != nil {
|
if err = ctx.Session.Set("uid", u.ID); err != nil {
|
||||||
|
|
|
@ -24,6 +24,7 @@ import (
|
||||||
"code.gitea.io/gitea/modules/setting"
|
"code.gitea.io/gitea/modules/setting"
|
||||||
"code.gitea.io/gitea/modules/timeutil"
|
"code.gitea.io/gitea/modules/timeutil"
|
||||||
"code.gitea.io/gitea/modules/web"
|
"code.gitea.io/gitea/modules/web"
|
||||||
|
"code.gitea.io/gitea/modules/web/middleware"
|
||||||
"code.gitea.io/gitea/routers/utils"
|
"code.gitea.io/gitea/routers/utils"
|
||||||
"code.gitea.io/gitea/services/externalaccount"
|
"code.gitea.io/gitea/services/externalaccount"
|
||||||
"code.gitea.io/gitea/services/mailer"
|
"code.gitea.io/gitea/services/mailer"
|
||||||
|
@ -64,8 +65,8 @@ func AutoSignIn(ctx *context.Context) (bool, error) {
|
||||||
defer func() {
|
defer func() {
|
||||||
if !isSucceed {
|
if !isSucceed {
|
||||||
log.Trace("auto-login cookie cleared: %s", uname)
|
log.Trace("auto-login cookie cleared: %s", uname)
|
||||||
ctx.SetCookie(setting.CookieUserName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true)
|
ctx.DeleteCookie(setting.CookieUserName)
|
||||||
ctx.SetCookie(setting.CookieRememberName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true)
|
ctx.DeleteCookie(setting.CookieRememberName)
|
||||||
}
|
}
|
||||||
}()
|
}()
|
||||||
|
|
||||||
|
@ -95,7 +96,7 @@ func AutoSignIn(ctx *context.Context) (bool, error) {
|
||||||
return false, err
|
return false, err
|
||||||
}
|
}
|
||||||
|
|
||||||
ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true)
|
middleware.DeleteCSRFCookie(ctx.Resp)
|
||||||
return true, nil
|
return true, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -109,13 +110,13 @@ func checkAutoLogin(ctx *context.Context) bool {
|
||||||
|
|
||||||
redirectTo := ctx.Query("redirect_to")
|
redirectTo := ctx.Query("redirect_to")
|
||||||
if len(redirectTo) > 0 {
|
if len(redirectTo) > 0 {
|
||||||
ctx.SetCookie("redirect_to", redirectTo, 0, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
|
middleware.SetRedirectToCookie(ctx.Resp, redirectTo)
|
||||||
} else {
|
} else {
|
||||||
redirectTo = ctx.GetCookie("redirect_to")
|
redirectTo = ctx.GetCookie("redirect_to")
|
||||||
}
|
}
|
||||||
|
|
||||||
if isSucceed {
|
if isSucceed {
|
||||||
ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
|
middleware.DeleteRedirectToCookie(ctx.Resp)
|
||||||
ctx.RedirectToFirst(redirectTo, setting.AppSubURL+string(setting.LandingPageURL))
|
ctx.RedirectToFirst(redirectTo, setting.AppSubURL+string(setting.LandingPageURL))
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
|
@ -497,9 +498,9 @@ func handleSignIn(ctx *context.Context, u *models.User, remember bool) {
|
||||||
func handleSignInFull(ctx *context.Context, u *models.User, remember bool, obeyRedirect bool) string {
|
func handleSignInFull(ctx *context.Context, u *models.User, remember bool, obeyRedirect bool) string {
|
||||||
if remember {
|
if remember {
|
||||||
days := 86400 * setting.LogInRememberDays
|
days := 86400 * setting.LogInRememberDays
|
||||||
ctx.SetCookie(setting.CookieUserName, u.Name, days, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true)
|
ctx.SetCookie(setting.CookieUserName, u.Name, days)
|
||||||
ctx.SetSuperSecureCookie(base.EncodeMD5(u.Rands+u.Passwd),
|
ctx.SetSuperSecureCookie(base.EncodeMD5(u.Rands+u.Passwd),
|
||||||
setting.CookieRememberName, u.Name, days, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true)
|
setting.CookieRememberName, u.Name, days)
|
||||||
}
|
}
|
||||||
|
|
||||||
_ = ctx.Session.Delete("openid_verified_uri")
|
_ = ctx.Session.Delete("openid_verified_uri")
|
||||||
|
@ -530,10 +531,10 @@ func handleSignInFull(ctx *context.Context, u *models.User, remember bool, obeyR
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
ctx.SetCookie("lang", u.Language, nil, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true)
|
middleware.SetLocaleCookie(ctx.Resp, u.Language, 0)
|
||||||
|
|
||||||
// Clear whatever CSRF has right now, force to generate a new one
|
// Clear whatever CSRF has right now, force to generate a new one
|
||||||
ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true)
|
middleware.DeleteCSRFCookie(ctx.Resp)
|
||||||
|
|
||||||
// Register last login
|
// Register last login
|
||||||
u.SetLastLogin()
|
u.SetLastLogin()
|
||||||
|
@ -543,7 +544,7 @@ func handleSignInFull(ctx *context.Context, u *models.User, remember bool, obeyR
|
||||||
}
|
}
|
||||||
|
|
||||||
if redirectTo := ctx.GetCookie("redirect_to"); len(redirectTo) > 0 && !utils.IsExternalURL(redirectTo) {
|
if redirectTo := ctx.GetCookie("redirect_to"); len(redirectTo) > 0 && !utils.IsExternalURL(redirectTo) {
|
||||||
ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
|
middleware.DeleteRedirectToCookie(ctx.Resp)
|
||||||
if obeyRedirect {
|
if obeyRedirect {
|
||||||
ctx.RedirectToFirst(redirectTo)
|
ctx.RedirectToFirst(redirectTo)
|
||||||
}
|
}
|
||||||
|
@ -649,7 +650,7 @@ func handleOAuth2SignIn(u *models.User, gothUser goth.User, ctx *context.Context
|
||||||
}
|
}
|
||||||
|
|
||||||
// Clear whatever CSRF has right now, force to generate a new one
|
// Clear whatever CSRF has right now, force to generate a new one
|
||||||
ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true)
|
middleware.DeleteCSRFCookie(ctx.Resp)
|
||||||
|
|
||||||
// Register last login
|
// Register last login
|
||||||
u.SetLastLogin()
|
u.SetLastLogin()
|
||||||
|
@ -664,7 +665,7 @@ func handleOAuth2SignIn(u *models.User, gothUser goth.User, ctx *context.Context
|
||||||
}
|
}
|
||||||
|
|
||||||
if redirectTo := ctx.GetCookie("redirect_to"); len(redirectTo) > 0 {
|
if redirectTo := ctx.GetCookie("redirect_to"); len(redirectTo) > 0 {
|
||||||
ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
|
middleware.DeleteRedirectToCookie(ctx.Resp)
|
||||||
ctx.RedirectToFirst(redirectTo)
|
ctx.RedirectToFirst(redirectTo)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
@ -1042,11 +1043,11 @@ func LinkAccountPostRegister(ctx *context.Context) {
|
||||||
func HandleSignOut(ctx *context.Context) {
|
func HandleSignOut(ctx *context.Context) {
|
||||||
_ = ctx.Session.Flush()
|
_ = ctx.Session.Flush()
|
||||||
_ = ctx.Session.Destroy(ctx.Resp, ctx.Req)
|
_ = ctx.Session.Destroy(ctx.Resp, ctx.Req)
|
||||||
ctx.SetCookie(setting.CookieUserName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true)
|
ctx.DeleteCookie(setting.CookieUserName)
|
||||||
ctx.SetCookie(setting.CookieRememberName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true)
|
ctx.DeleteCookie(setting.CookieRememberName)
|
||||||
ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true)
|
middleware.DeleteCSRFCookie(ctx.Resp)
|
||||||
ctx.SetCookie("lang", "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true) // Setting the lang cookie will trigger the middleware to reset the language ot previous state.
|
middleware.DeleteLocaleCookie(ctx.Resp)
|
||||||
ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL) // logout default should set redirect to to default
|
middleware.DeleteRedirectToCookie(ctx.Resp)
|
||||||
}
|
}
|
||||||
|
|
||||||
// SignOut sign out from login status
|
// SignOut sign out from login status
|
||||||
|
@ -1623,7 +1624,7 @@ func MustChangePasswordPost(ctx *context.Context) {
|
||||||
log.Trace("User updated password: %s", u.Name)
|
log.Trace("User updated password: %s", u.Name)
|
||||||
|
|
||||||
if redirectTo := ctx.GetCookie("redirect_to"); len(redirectTo) > 0 && !utils.IsExternalURL(redirectTo) {
|
if redirectTo := ctx.GetCookie("redirect_to"); len(redirectTo) > 0 && !utils.IsExternalURL(redirectTo) {
|
||||||
ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL)
|
middleware.DeleteRedirectToCookie(ctx.Resp)
|
||||||
ctx.RedirectToFirst(redirectTo)
|
ctx.RedirectToFirst(redirectTo)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
|
@ -20,6 +20,7 @@ import (
|
||||||
"code.gitea.io/gitea/modules/setting"
|
"code.gitea.io/gitea/modules/setting"
|
||||||
"code.gitea.io/gitea/modules/timeutil"
|
"code.gitea.io/gitea/modules/timeutil"
|
||||||
"code.gitea.io/gitea/modules/web"
|
"code.gitea.io/gitea/modules/web"
|
||||||
|
"code.gitea.io/gitea/modules/web/middleware"
|
||||||
"code.gitea.io/gitea/services/mailer"
|
"code.gitea.io/gitea/services/mailer"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -47,13 +48,13 @@ func SignInOpenID(ctx *context.Context) {
|
||||||
|
|
||||||
redirectTo := ctx.Query("redirect_to")
|
redirectTo := ctx.Query("redirect_to")
|
||||||
if len(redirectTo) > 0 {
|
if len(redirectTo) > 0 {
|
||||||
ctx.SetCookie("redirect_to", redirectTo, 0, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
|
middleware.SetRedirectToCookie(ctx.Resp, redirectTo)
|
||||||
} else {
|
} else {
|
||||||
redirectTo = ctx.GetCookie("redirect_to")
|
redirectTo = ctx.GetCookie("redirect_to")
|
||||||
}
|
}
|
||||||
|
|
||||||
if isSucceed {
|
if isSucceed {
|
||||||
ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL, "", setting.SessionConfig.Secure, true)
|
middleware.DeleteRedirectToCookie(ctx.Resp)
|
||||||
ctx.RedirectToFirst(redirectTo)
|
ctx.RedirectToFirst(redirectTo)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
|
@ -21,6 +21,7 @@ import (
|
||||||
"code.gitea.io/gitea/modules/setting"
|
"code.gitea.io/gitea/modules/setting"
|
||||||
"code.gitea.io/gitea/modules/util"
|
"code.gitea.io/gitea/modules/util"
|
||||||
"code.gitea.io/gitea/modules/web"
|
"code.gitea.io/gitea/modules/web"
|
||||||
|
"code.gitea.io/gitea/modules/web/middleware"
|
||||||
|
|
||||||
"github.com/unknwon/i18n"
|
"github.com/unknwon/i18n"
|
||||||
)
|
)
|
||||||
|
@ -116,7 +117,7 @@ func ProfilePost(ctx *context.Context) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// Update the language to the one we just set
|
// Update the language to the one we just set
|
||||||
ctx.SetCookie("lang", ctx.User.Language, nil, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true)
|
middleware.SetLocaleCookie(ctx.Resp, ctx.User.Language, 0)
|
||||||
|
|
||||||
log.Trace("User settings updated: %s", ctx.User.Name)
|
log.Trace("User settings updated: %s", ctx.User.Name)
|
||||||
ctx.Flash.Success(i18n.Tr(ctx.User.Language, "settings.update_profile_success"))
|
ctx.Flash.Success(i18n.Tr(ctx.User.Language, "settings.update_profile_success"))
|
||||||
|
|
Loading…
Reference in a new issue