chore: improve cookie handling + cleanup

SpecterOps · Oct 24, 2024 · f295864 · f295864
1 parent 28e812b
commit f295864
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 5 deletions.
diff --git a/cmd/api/src/api/auth.go b/cmd/api/src/api/auth.go
@@ -301,6 +301,10 @@ func (s authenticator) ValidateRequestSignature(tokenID uuid.UUID, request *http
 	}
 }
 
+func DeleteBrowserCookie(request *http.Request, response http.ResponseWriter, name string) {
+	SetSecureBrowserCookie(request, response, name, "", time.Now().UTC(), false)
+}
+
 func SetSecureBrowserCookie(request *http.Request, response http.ResponseWriter, name, value string, expires time.Time, httpOnly bool) {
 	var (
 		hostURL       = *ctx.FromRequest(request).Host
@@ -352,6 +356,10 @@ func (s authenticator) CreateSSOSession(request *http.Request, response http.Res
 			}
 		case model.OIDCProvider:
 			//todo connect to db provider table
+
+			// Delete pre-auth cookies regardless
+			DeleteBrowserCookie(request, response, AuthPKCECookieName)
+			DeleteBrowserCookie(request, response, AuthStateCookieName)
 			break
 		case model.AuthSecret:
 			WriteErrorResponse(request.Context(), BuildErrorResponse(http.StatusBadRequest, "invalid auth provider", request), response)
@@ -372,7 +380,7 @@ func (s authenticator) CreateSSOSession(request *http.Request, response http.Res
 			locationURL := URLJoinPath(hostURL, UserInterfacePath)
 
 			// Set the token cookie
-			SetSecureBrowserCookie(request, response, AuthTokenCookieName, sessionJWT, time.Now().UTC().Add(s.cfg.AuthSessionTTL()))
+			SetSecureBrowserCookie(request, response, AuthTokenCookieName, sessionJWT, time.Now().UTC().Add(s.cfg.AuthSessionTTL()), false)
 
 			// Redirect back to the UI landing page
 			response.Header().Add(headers.Location.String(), locationURL.String())

diff --git a/cmd/api/src/api/v2/auth/oidc.go b/cmd/api/src/api/v2/auth/oidc.go
@@ -126,8 +126,6 @@ func (s ManagementResource) OIDCCallbackHandler(response http.ResponseWriter, re
 		} else if idToken, err := oidcVerifier.Verify(request.Context(), rawIDToken); err != nil {
 			api.WriteErrorResponse(request.Context(), api.BuildErrorResponse(http.StatusBadRequest, "invalid id token", request), response)
 		} else {
-			log.Debugf("GOT A TOKEN %+v\n", token)
-			log.Debugf("ID TOKEN %+v\n", rawIDToken)
 			// Extract custom claims
 			var claims struct {
 				Name        string `json:"name"`
@@ -138,7 +136,6 @@ func (s ManagementResource) OIDCCallbackHandler(response http.ResponseWriter, re
 			if err := idToken.Claims(&claims); err != nil {
 				api.WriteErrorResponse(request.Context(), api.BuildErrorResponse(http.StatusInternalServerError, err.Error(), request), response)
 			} else {
-				log.Debugf("ID CLAIMS %+v\n", claims)
 				s.authenticator.CreateSSOSession(request, response, claims.Email, oidcProvider)
 			}
 		}

diff --git a/cmd/api/src/api/v2/auth/sso.go b/cmd/api/src/api/v2/auth/sso.go
@@ -148,7 +148,6 @@ func (s ManagementResource) SSOLoginHandler(response http.ResponseWriter, reques
 
 func (s ManagementResource) SSOCallbackHandler(response http.ResponseWriter, request *http.Request) {
 	ssoProviderSlug := mux.Vars(request)[api.URIPathVariableSSOProviderSlug]
-	log.Debugf("HERE I AM IN CALLBACK - provider %s", ssoProviderSlug)
 
 	if ssoProvider, err := s.db.GetSSOProviderBySlug(request.Context(), ssoProviderSlug); err != nil {
 		api.HandleDatabaseError(request, response, err)