Update cookie to not use wildcard domain
Issue: https://gitlab.com/gitlab-org/gitlab/-/issues/552058+
Description
This MR updates the OAuth flow such that the cookie
- The domain property of the cookie is the actual host of the workspace and not the wildcard domain. This prevents messing up of session state across workspaces.
- The http-only property of the cookie is set to true.
- The secure property of the cookie is set to true if the connection is secure.
- The same-site property of the cookie is set to lax.
Updated OAuth flow
- User accesses
ws1.workspaces.example.com. - Auth middleware detects there is no valid cookie or a transfer token in query param. It redirects to the OAuth provider -
gitlab.example.com/oauth/authorize. - OAuth provider perform authentication and redirects back to
workspaces.example.com/auth/callback. - OAuth redirect callback handler exchanges the code for token, gets the authenticated user from token, checks if user is authorized to access the workspace and redirects back to the original URL with an additional query param which contains the transfer JWT. This JWT is valid for a very short time(e.g. 30 seconds).
- Auth middleware detects is no valid cookie but there is a transfer JWT in query param, it uses the query param value to read the JWT, check if it is valid, generate a new cookie JWT and set the cookie for the domain
ws1.workspaces.example.com. It removes the query param from the request's URL and redirect back to the original URL with the cookie set. - Auth middleware detects a cookie, extracts the session from the cookie, validates the JWT in the cookie value and adds the user to the request context and serve the next middleware and return.
Testing artifacts
I created a workspace and accessed it.
Before this MR
After this MR
Steps to verify
- Create a workspace from this project using the agent specified below.
- Open the workspace and open developer tools.
- Check the cookie properties.
Edited by Vishal Tak