diff options
| author | Joan Touzet <wohali@users.noreply.github.com> | 2017-09-29 13:22:48 -0400 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-09-29 13:22:48 -0400 |
| commit | 0eb7677788a3852e64c7f16042343fb0ea126c8d (patch) | |
| tree | a2136649cd41f8a31139e3e02ed124c090e9c456 | |
| parent | 9751b067748e6fa0f15741613d95eb4737adf75f (diff) | |
| parent | 796e1b039f803c9e7d8785a4b54f2cb3c9be8528 (diff) | |
| download | couchdb-0eb7677788a3852e64c7f16042343fb0ea126c8d.tar.gz | |
Support setting cookie domain for AuthSession cookie
Merge pull request #827 from almightyju/master
| -rw-r--r-- | rel/overlay/etc/default.ini | 1 | ||||
| -rw-r--r-- | src/couch/src/couch_httpd_auth.erl | 9 | ||||
| -rwxr-xr-x | src/couch/test/couchdb_cookie_domain_tests.erl | 77 |
3 files changed, 86 insertions, 1 deletions
diff --git a/rel/overlay/etc/default.ini b/rel/overlay/etc/default.ini index 7cb805e94..122853542 100644 --- a/rel/overlay/etc/default.ini +++ b/rel/overlay/etc/default.ini @@ -177,6 +177,7 @@ iterations = 10 ; iterations for password hashing ; public_fields = ; secret = ; users_db_public = false +; cookie_domain = example.com ; CSP (Content Security Policy) Support for _utils [csp] diff --git a/src/couch/src/couch_httpd_auth.erl b/src/couch/src/couch_httpd_auth.erl index 51a83e7e4..6ac7b75af 100644 --- a/src/couch/src/couch_httpd_auth.erl +++ b/src/couch/src/couch_httpd_auth.erl @@ -265,7 +265,7 @@ cookie_auth_cookie(Req, User, Secret, TimeStamp) -> Hash = crypto:hmac(sha, Secret, SessionData), mochiweb_cookies:cookie("AuthSession", couch_util:encodeBase64Url(SessionData ++ ":" ++ ?b2l(Hash)), - [{path, "/"}] ++ cookie_scheme(Req) ++ max_age()). + [{path, "/"}] ++ cookie_scheme(Req) ++ max_age() ++ cookie_domain()). ensure_cookie_auth_secret() -> case config:get("couch_httpd_auth", "secret", undefined) of @@ -442,6 +442,13 @@ max_age() -> [{max_age, Timeout}] end. +cookie_domain() -> + Domain = config:get("couch_httpd_auth", "cookie_domain", ""), + case Domain of + "" -> []; + _ -> [{domain, Domain}] + end. + reject_if_totp(User) -> case get_totp_config(User) of undefined -> diff --git a/src/couch/test/couchdb_cookie_domain_tests.erl b/src/couch/test/couchdb_cookie_domain_tests.erl new file mode 100755 index 000000000..1a9aedb93 --- /dev/null +++ b/src/couch/test/couchdb_cookie_domain_tests.erl @@ -0,0 +1,77 @@ +% Licensed under the Apache License, Version 2.0 (the "License"); you may not +% use this file except in compliance with the License. You may obtain a copy of +% the License at +% +% http://www.apache.org/licenses/LICENSE-2.0 +% +% Unless required by applicable law or agreed to in writing, software +% distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +% WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +% License for the specific language governing permissions and limitations under +% the License. + +-module(couchdb_cookie_domain_tests). + +-include_lib("couch/include/couch_eunit.hrl"). +-include_lib("couch/include/couch_db.hrl"). + +-define(USER, "cookie_domain_test_admin"). +-define(PASS, "pass"). + +setup(PortType) -> + Hashed = couch_passwords:hash_admin_password(?PASS), + ok = config:set("admins", ?USER, ?b2l(Hashed), _Persist=false), + Addr = config:get("httpd", "bind_address", "127.0.0.1"), + lists:concat(["http://", Addr, ":", port(PortType), "/_session"]). + +teardown(_,_) -> + ok = config:delete("admins", ?USER, _Persist=false). + +cookie_test_() -> + Tests = [ + fun should_set_cookie_domain/2, + fun should_not_set_cookie_domain/2 + ], + { + "Cookie domain tests", + { + setup, + fun() -> test_util:start_couch([chttpd]) end, fun test_util:stop_couch/1, + [ + make_test_case(clustered, Tests) + ] + } + }. + +make_test_case(Mod, Funs) -> +{ + lists:flatten(io_lib:format("~s", [Mod])), + {foreachx, fun setup/1, fun teardown/2, [{Mod, Fun} || Fun <- Funs]} +}. + +should_set_cookie_domain(_PortType, Url) -> + ?_assertEqual(true, + begin + ok = config:set("couch_httpd_auth", "cookie_domain", "example.com", false), + {ok, Code, Headers, _} = test_request:post(Url, [{"Content-Type", "application/json"}], + "{\"name\":\"" ++ ?USER ++ "\", \"password\": \"" ++ ?PASS ++ "\"}"), + ?_assert(Code =:= 200), + Cookie = proplists:get_value("Set-Cookie", Headers), + string:str(Cookie, "; Domain=example.com") > 0 + end). + +should_not_set_cookie_domain(_PortType, Url) -> + ?_assertEqual(0, + begin + ok = config:set("couch_httpd_auth", "cookie_domain", "", false), + {ok, Code, Headers, _} = test_request:post(Url, [{"Content-Type", "application/json"}], + "{\"name\":\"" ++ ?USER ++ "\", \"password\": \"" ++ ?PASS ++ "\"}"), + ?_assert(Code =:= 200), + Cookie = proplists:get_value("Set-Cookie", Headers), + string:str(Cookie, "; Domain=") + end). + +port(clustered) -> + integer_to_list(mochiweb_socket_server:get(chttpd, port)); +port(backdoor) -> + integer_to_list(mochiweb_socket_server:get(couch_httpd, port)). |