chore: add custom samesite options to auth cookies (#16885)

Allows controlling `samesite` cookie settings from the deployment config
2025-07-15 22:20:27 +00:00 · 2025-04-08 14:15:14 -05:00
parent 389e88ec82
commit 52d555880c
26 changed files with 240 additions and 67 deletions
--- a/coderd/workspaceapps/provider.go
+++ b/coderd/workspaceapps/provider.go
@ -22,6 +22,7 @@ const (
 type ResolveRequestOptions struct {
 	Logger              slog.Logger
 	SignedTokenProvider SignedTokenProvider
+	CookieCfg           codersdk.HTTPCookieConfig

 	DashboardURL   *url.URL
 	PathAppBaseURL *url.URL
@ -75,12 +76,12 @@ func ResolveRequest(rw http.ResponseWriter, r *http.Request, opts ResolveRequest
 	//
 	// For subdomain apps, this applies to the entire subdomain, e.g.
 	//   app--agent--workspace--user.apps.example.com
-	http.SetCookie(rw, &http.Cookie{
+	http.SetCookie(rw, opts.CookieCfg.Apply(&http.Cookie{
 		Name:    codersdk.SignedAppTokenCookie,
 		Value:   tokenStr,
 		Path:    appReq.BasePath,
 		Expires: token.Expiry.Time(),
-	})
+	}))

 	return token, true
 }
--- a/coderd/workspaceapps/proxy.go
+++ b/coderd/workspaceapps/proxy.go
@ -110,8 +110,8 @@ type Server struct {
 	//
 	// Subdomain apps are safer with their cookies scoped to the subdomain, and XSS
 	// calls to the dashboard are not possible due to CORs.
-	DisablePathApps  bool
-	SecureAuthCookie bool
+	DisablePathApps bool
+	Cookies         codersdk.HTTPCookieConfig

 	AgentProvider  AgentProvider
 	StatsCollector *StatsCollector
@ -230,16 +230,14 @@ func (s *Server) handleAPIKeySmuggling(rw http.ResponseWriter, r *http.Request,
 	// We use different cookie names for path apps and for subdomain apps to
 	// avoid both being set and sent to the server at the same time and the
 	// server using the wrong value.
-	http.SetCookie(rw, &http.Cookie{
+	http.SetCookie(rw, s.Cookies.Apply(&http.Cookie{
 		Name:     AppConnectSessionTokenCookieName(accessMethod),
 		Value:    payload.APIKey,
 		Domain:   domain,
 		Path:     "/",
 		MaxAge:   0,
 		HttpOnly: true,
-		SameSite: http.SameSiteLaxMode,
-		Secure:   s.SecureAuthCookie,
-	})
+	}))

 	// Strip the query parameter.
 	path := r.URL.Path
@ -300,6 +298,7 @@ func (s *Server) workspaceAppsProxyPath(rw http.ResponseWriter, r *http.Request)
 	// permissions to connect to a workspace.
 	token, ok := ResolveRequest(rw, r, ResolveRequestOptions{
 		Logger:              s.Logger,
+		CookieCfg:           s.Cookies,
 		SignedTokenProvider: s.SignedTokenProvider,
 		DashboardURL:        s.DashboardURL,
 		PathAppBaseURL:      s.AccessURL,
@ -405,6 +404,7 @@ func (s *Server) HandleSubdomain(middlewares ...func(http.Handler) http.Handler)

 				token, ok := ResolveRequest(rw, r, ResolveRequestOptions{
 					Logger:              s.Logger,
+					CookieCfg:           s.Cookies,
 					SignedTokenProvider: s.SignedTokenProvider,
 					DashboardURL:        s.DashboardURL,
 					PathAppBaseURL:      s.AccessURL,
@ -630,6 +630,7 @@ func (s *Server) workspaceAgentPTY(rw http.ResponseWriter, r *http.Request) {

 	appToken, ok := ResolveRequest(rw, r, ResolveRequestOptions{
 		Logger:              s.Logger,
+		CookieCfg:           s.Cookies,
 		SignedTokenProvider: s.SignedTokenProvider,
 		DashboardURL:        s.DashboardURL,
 		PathAppBaseURL:      s.AccessURL,