TheCloud/anubis
1
0
Fork 0
mirror of https://github.com/TecharoHQ/anubis.git synced 2025-08-03 01:38:14 -04:00
Code Issues Packages Projects Releases Wiki Activity

Set cookies to have the Secure flag default to true (#739)

Browse Source 
* Set Cookies to use the Secure Flag and default SameSite to None

* Add secure flag test

* Updated changelog and documentation for secure flag option
This commit is contained in:
Victor Fernandes 2025-06-30 14:58:31 -04:00 committed by GitHub
parent 12453fdc00
commit 292c470ada
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
6 changed files with 32 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
cmd/anubis/main.go
View File

@ -51,6 +51,7 @@ var (
cookiePrefix = flag.String("cookie-prefix", "techaro.lol-anubis", "prefix for browser cookies created by Anubis") cookiePrefix = flag.String("cookie-prefix", "techaro.lol-anubis", "prefix for browser cookies created by Anubis")
cookiePartitioned = flag.Bool("cookie-partitioned", false, "if true, sets the partitioned flag on Anubis cookies, enabling CHIPS support") cookiePartitioned = flag.Bool("cookie-partitioned", false, "if true, sets the partitioned flag on Anubis cookies, enabling CHIPS support")
hs512Secret = flag.String("hs512-secret", "", "secret used to sign JWTs, uses ed25519 if not set") hs512Secret = flag.String("hs512-secret", "", "secret used to sign JWTs, uses ed25519 if not set")
cookieSecure = flag.Bool("cookie-secure", true, "if true, sets the secure flag on Anubis cookies")
ed25519PrivateKeyHex = flag.String("ed25519-private-key-hex", "", "private key used to sign JWTs, if not set a random one will be assigned") ed25519PrivateKeyHex = flag.String("ed25519-private-key-hex", "", "private key used to sign JWTs, if not set a random one will be assigned")
ed25519PrivateKeyHexFile = flag.String("ed25519-private-key-hex-file", "", "file name containing value for ed25519-private-key-hex") ed25519PrivateKeyHexFile = flag.String("ed25519-private-key-hex-file", "", "file name containing value for ed25519-private-key-hex")
metricsBind = flag.String("metrics-bind", ":9090", "network address to bind metrics to") metricsBind = flag.String("metrics-bind", ":9090", "network address to bind metrics to")
@ -403,6 +404,7 @@ func main() {
Target: *target, Target: *target,
WebmasterEmail: *webmasterEmail, WebmasterEmail: *webmasterEmail,
OpenGraph: policy.OpenGraph, OpenGraph: policy.OpenGraph,
CookieSecure: *cookieSecure,
}) })
if err != nil { if err != nil {
log.Fatalf("can't construct libanubis.Server: %v", err) log.Fatalf("can't construct libanubis.Server: %v", err)

3
docs/docs/CHANGELOG.md
View File

@ -10,6 +10,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
## [Unreleased] ## [Unreleased]
<!-- This changes the project to: -->
- Add `COOKIE_SECURE` option to set the cookie [Secure flag](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#block_access_to_your_cookies)
- Sets cookie defaults to use [SameSite: None](https://web.dev/articles/samesite-cookies-explained)
- Determine the `BIND_NETWORK`/`--bind-network` value from the bind address ([#677](https://github.com/TecharoHQ/anubis/issues/677)). - Determine the `BIND_NETWORK`/`--bind-network` value from the bind address ([#677](https://github.com/TecharoHQ/anubis/issues/677)).
- Implement localization system. Find locale files in lib/localization/locales/. - Implement localization system. Find locale files in lib/localization/locales/.

1
docs/docs/admin/installation.mdx
View File

@ -67,6 +67,7 @@ Anubis uses these environment variables for configuration:
| `COOKIE_DYNAMIC_DOMAIN` | false | If set to true, automatically set cookie domain fields based on the hostname of the request. EG: if you are making a request to `anubis.techaro.lol`, the Anubis cookie will be valid for any subdomain of `techaro.lol`. | | `COOKIE_DYNAMIC_DOMAIN` | false | If set to true, automatically set cookie domain fields based on the hostname of the request. EG: if you are making a request to `anubis.techaro.lol`, the Anubis cookie will be valid for any subdomain of `techaro.lol`. |
| `COOKIE_EXPIRATION_TIME` | `168h` | The amount of time the authorization cookie is valid for. | | `COOKIE_EXPIRATION_TIME` | `168h` | The amount of time the authorization cookie is valid for. |
| `COOKIE_PARTITIONED` | `false` | If set to `true`, enables the [partitioned (CHIPS) flag](https://developers.google.com/privacy-sandbox/cookies/chips), meaning that Anubis inside an iframe has a different set of cookies than the domain hosting the iframe. | | `COOKIE_PARTITIONED` | `false` | If set to `true`, enables the [partitioned (CHIPS) flag](https://developers.google.com/privacy-sandbox/cookies/chips), meaning that Anubis inside an iframe has a different set of cookies than the domain hosting the iframe. |
| `COOKIE_SECURE` | `true` | If set to `true`, enables the [Secure flag](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#block_access_to_your_cookies), meaning that the cookies will only be transmitted over HTTPS. If Anubis is used in an unsecure context (plain HTTP), this will be need to be set to false |
| `DIFFICULTY` | `4` | The difficulty of the challenge, or the number of leading zeroes that must be in successful responses. | | `DIFFICULTY` | `4` | The difficulty of the challenge, or the number of leading zeroes that must be in successful responses. |
| `ED25519_PRIVATE_KEY_HEX` | unset | The hex-encoded ed25519 private key used to sign Anubis responses. If this is not set, Anubis will generate one for you. This should be exactly 64 characters long. See below for details. | | `ED25519_PRIVATE_KEY_HEX` | unset | The hex-encoded ed25519 private key used to sign Anubis responses. If this is not set, Anubis will generate one for you. This should be exactly 64 characters long. See below for details. |
| `ED25519_PRIVATE_KEY_HEX_FILE` | unset | Path to a file containing the hex-encoded ed25519 private key. Only one of this or its sister option may be set. | | `ED25519_PRIVATE_KEY_HEX_FILE` | unset | Path to a file containing the hex-encoded ed25519 private key. Only one of this or its sister option may be set. |

5
lib/anubis_test.go
View File

@ -262,6 +262,7 @@ func TestCookieSettings(t *testing.T) {
CookieDomain: "127.0.0.1", CookieDomain: "127.0.0.1",
CookiePartitioned: true, CookiePartitioned: true,
CookieSecure: true,
CookieExpiration: anubis.CookieDefaultExpirationTime, CookieExpiration: anubis.CookieDefaultExpirationTime,
}) })
@ -309,6 +310,10 @@ func TestCookieSettings(t *testing.T) {
if ckie.Partitioned != srv.opts.CookiePartitioned { if ckie.Partitioned != srv.opts.CookiePartitioned {
t.Errorf("wanted partitioned flag %v, got: %v", srv.opts.CookiePartitioned, ckie.Partitioned) t.Errorf("wanted partitioned flag %v, got: %v", srv.opts.CookiePartitioned, ckie.Partitioned)
} }
if ckie.Secure != srv.opts.CookieSecure {
t.Errorf("wanted secure flag %v, got: %v", srv.opts.CookieSecure, ckie.Secure)
}
} }
func TestCheckDefaultDifficultyMatchesPolicy(t *testing.T) { func TestCheckDefaultDifficultyMatchesPolicy(t *testing.T) {

1
lib/config.go
View File

@ -44,6 +44,7 @@ type Options struct {
StripBasePrefix bool StripBasePrefix bool
OpenGraph config.OpenGraph OpenGraph config.OpenGraph
ServeRobotsTXT bool ServeRobotsTXT bool
CookieSecure bool
} }
func LoadPoliciesOrDefault(ctx context.Context, fname string, defaultDifficulty int) (*policy.ParsedConfig, error) { func LoadPoliciesOrDefault(ctx context.Context, fname string, defaultDifficulty int) (*policy.ParsedConfig, error) {

32
lib/http.go
View File

@ -23,10 +23,11 @@ import (
var domainMatchRegexp = regexp.MustCompile(`^((xn--)?[a-z0-9]+(-[a-z0-9]+)*\.)+[a-z]{2,}$`) var domainMatchRegexp = regexp.MustCompile(`^((xn--)?[a-z0-9]+(-[a-z0-9]+)*\.)+[a-z]{2,}$`)
type CookieOpts struct { type CookieOpts struct {
Value string Value string
Host string Host string
Path string Path string
Name string Name string
Expiry time.Duration
} }
func (s *Server) SetCookie(w http.ResponseWriter, cookieOpts CookieOpts) { func (s *Server) SetCookie(w http.ResponseWriter, cookieOpts CookieOpts) {
@ -45,12 +46,17 @@ func (s *Server) SetCookie(w http.ResponseWriter, cookieOpts CookieOpts) {
} }
} }
if cookieOpts.Expiry == 0 {
cookieOpts.Expiry = s.opts.CookieExpiration
}
http.SetCookie(w, &http.Cookie{ http.SetCookie(w, &http.Cookie{
Name: name, Name: name,
Value: cookieOpts.Value, Value: cookieOpts.Value,
Expires: time.Now().Add(s.opts.CookieExpiration), Expires: time.Now().Add(cookieOpts.Expiry),
SameSite: http.SameSiteLaxMode, SameSite: http.SameSiteNoneMode,
Domain: domain, Domain: domain,
Secure: s.opts.CookieSecure,
Partitioned: s.opts.CookiePartitioned, Partitioned: s.opts.CookiePartitioned,
Path: path, Path: path,
}) })
@ -77,9 +83,10 @@ func (s *Server) ClearCookie(w http.ResponseWriter, cookieOpts CookieOpts) {
Value: "", Value: "",
MaxAge: -1, MaxAge: -1,
Expires: time.Now().Add(-1 * time.Minute), Expires: time.Now().Add(-1 * time.Minute),
SameSite: http.SameSiteLaxMode, SameSite: http.SameSiteNoneMode,
Partitioned: s.opts.CookiePartitioned, Partitioned: s.opts.CookiePartitioned,
Domain: domain, Domain: domain,
Secure: s.opts.CookieSecure,
Path: path, Path: path,
}) })
} }
@ -132,11 +139,12 @@ func (s *Server) RenderIndex(w http.ResponseWriter, r *http.Request, rule *polic
} }
} }
http.SetCookie(w, &http.Cookie{ s.SetCookie(w, CookieOpts{
Name: anubis.TestCookieName, Value: challengeStr,
Value: challengeStr, Host: r.Host,
Expires: time.Now().Add(30 * time.Minute), Path: "/",
Path: "/", Name: anubis.TestCookieName,
Expiry: 30 * time.Minute,
}) })
impl, ok := challenge.Get(rule.Challenge.Algorithm) impl, ok := challenge.Get(rule.Challenge.Algorithm)