fix: enable passport-azure-ad workaround for SameSite cookies (#2567)

This adds cookieEncryptionKeyString configuration in the Azure AD
authentication module.  It represents an array of cookie encryption
strings and enables workaround for SameSite cookies.
This commit is contained in:
YAEGASHI Takeshi 2020-11-02 03:10:50 +09:00 committed by GitHub
parent a6bf2412d7
commit a3513b1bdf
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 22 additions and 2 deletions

View File

@ -10,6 +10,19 @@ const OIDCStrategy = require('passport-azure-ad').OIDCStrategy
module.exports = { module.exports = {
init (passport, conf) { init (passport, conf) {
// Workaround for Chrome's SameSite cookies
// cookieSameSite needs useCookieInsteadOfSession to work correctly.
// cookieEncryptionKeys is extracted from conf.cookieEncryptionKeyString.
// It's a concatnation of 44-character length strings each of which represents a single pair of key/iv.
// Valid cookieEncryptionKeys enables both cookieSameSite and useCookieInsteadOfSession.
const keyArray = [];
if (conf.cookieEncryptionKeyString) {
let keyString = conf.cookieEncryptionKeyString;
while (keyString.length >= 44) {
keyArray.push({ key: keyString.substring(0, 32), iv: keyString.substring(32, 44) });
keyString = keyString.substring(44);
}
}
passport.use('azure', passport.use('azure',
new OIDCStrategy({ new OIDCStrategy({
identityMetadata: conf.entryPoint, identityMetadata: conf.entryPoint,
@ -19,7 +32,10 @@ module.exports = {
responseMode: 'form_post', responseMode: 'form_post',
scope: ['profile', 'email', 'openid'], scope: ['profile', 'email', 'openid'],
allowHttpForRedirectUrl: WIKI.IS_DEBUG, allowHttpForRedirectUrl: WIKI.IS_DEBUG,
passReqToCallback: true passReqToCallback: true,
cookieSameSite: keyArray.length > 0,
useCookieInsteadOfSession: keyArray.length > 0,
cookieEncryptionKeys: keyArray
}, async (req, iss, sub, profile, cb) => { }, async (req, iss, sub, profile, cb) => {
const usrEmail = _.get(profile, '_json.email', null) || _.get(profile, '_json.preferred_username') const usrEmail = _.get(profile, '_json.email', null) || _.get(profile, '_json.preferred_username')
try { try {

View File

@ -22,4 +22,8 @@ props:
title: Client ID title: Client ID
hint: The client ID of your application in AAD (Azure Active Directory) hint: The client ID of your application in AAD (Azure Active Directory)
order: 2 order: 2
cookieEncryptionKeyString:
type: String
title: Cookie Encryption Key String
hint: Random string with 44-character length. Setting this enables workaround for Chrome's SameSite cookies.
order: 3