liz/wikijs-fork
liz/wikijs-fork
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix: enable passport-azure-ad workaround for SameSite cookies (#2567)

Browse Source 
This adds cookieEncryptionKeyString configuration in the Azure AD
authentication module.  It represents an array of cookie encryption
strings and enables workaround for SameSite cookies.
This commit is contained in:
YAEGASHI Takeshi 2020-11-02 03:10:50 +09:00 committed by GitHub
parent a6bf2412d7
commit a3513b1bdf
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 22 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
server/modules/authentication/azure/authentication.js
View File

@ -10,6 +10,19 @@ const OIDCStrategy = require('passport-azure-ad').OIDCStrategy
module.exports = {
init (passport, conf) {
// Workaround for Chrome's SameSite cookies
// cookieSameSite needs useCookieInsteadOfSession to work correctly.
// cookieEncryptionKeys is extracted from conf.cookieEncryptionKeyString.
// It's a concatnation of 44-character length strings each of which represents a single pair of key/iv.
// Valid cookieEncryptionKeys enables both cookieSameSite and useCookieInsteadOfSession.
const keyArray = [];
if (conf.cookieEncryptionKeyString) {
let keyString = conf.cookieEncryptionKeyString;
while (keyString.length >= 44) {
keyArray.push({ key: keyString.substring(0, 32), iv: keyString.substring(32, 44) });
keyString = keyString.substring(44);
}
}
passport.use('azure',
new OIDCStrategy({
identityMetadata: conf.entryPoint,
@ -19,7 +32,10 @@ module.exports = {
responseMode: 'form_post',
scope: ['profile', 'email', 'openid'],
allowHttpForRedirectUrl: WIKI.IS_DEBUG,
passReqToCallback: true
passReqToCallback: true,
cookieSameSite: keyArray.length > 0,
useCookieInsteadOfSession: keyArray.length > 0,
cookieEncryptionKeys: keyArray
}, async (req, iss, sub, profile, cb) => {
const usrEmail = _.get(profile, '_json.email', null) || _.get(profile, '_json.preferred_username')
try {

6
server/modules/authentication/azure/definition.yml
View File

@ -22,4 +22,8 @@ props:
title: Client ID
hint: The client ID of your application in AAD (Azure Active Directory)
order: 2
cookieEncryptionKeyString:
type: String
title: Cookie Encryption Key String
hint: Random string with 44-character length. Setting this enables workaround for Chrome's SameSite cookies.
order: 3