Merge pull request #178 from basecamp/cookie-path-prefix

Add `--scope-cookie-paths`

Author: kevinmcconnell

internal/cmd/deploy.go

@@ -61,8 +61,8 @@ func newDeployCommand() *deployCommand {
 
 	deployCommand.cmd.Flags().StringSliceVar(&deployCommand.args.TargetOptions.LogRequestHeaders, "log-request-header", nil, "Additional request header to log (may be specified multiple times)")
 	deployCommand.cmd.Flags().StringSliceVar(&deployCommand.args.TargetOptions.LogResponseHeaders, "log-response-header", nil, "Additional response header to log (may be specified multiple times)")
-
 	deployCommand.cmd.Flags().BoolVar(&deployCommand.args.TargetOptions.ForwardHeaders, "forward-headers", false, "Forward X-Forwarded headers to target (default false if TLS enabled; otherwise true)")
+	deployCommand.cmd.Flags().BoolVar(&deployCommand.args.TargetOptions.ScopeCookiePaths, "scope-cookie-paths", false, "Scope cookie paths to match path prefix")
 
 	deployCommand.cmd.MarkFlagRequired("target")
 	deployCommand.cmd.MarkFlagsRequiredTogether("tls-certificate-path", "tls-private-key-path")

internal/server/cookie_scope.go

@@ -0,0 +1,44 @@
+package server
+
+import (
+	"net"
+	"net/http"
+	"net/url"
+	"strings"
+)
+
+// CookieScope handles scoping Set-Cookie paths to a path prefix.
+type CookieScope struct {
+	pathPrefix string
+	host       string
+}
+
+func NewCookieScope(pathPrefix string, host string) *CookieScope {
+	if h, _, err := net.SplitHostPort(host); err == nil {
+		host = h
+	}
+
+	return &CookieScope{
+		pathPrefix: pathPrefix,
+		host:       host,
+	}
+}
+
+func (cs *CookieScope) ApplyToHeader(header http.Header) {
+	cookies := header["Set-Cookie"]
+	for i, v := range cookies {
+		cookie, err := http.ParseSetCookie(v)
+		if err != nil || !cs.domainMatches(cookie.Domain) {
+			continue
+		}
+
+		cookie.Path, err = url.JoinPath(cs.pathPrefix, strings.Trim(cookie.Path, "/"))
+		if err == nil {
+			cookies[i] = cookie.String()
+		}
+	}
+}
+
+func (cs *CookieScope) domainMatches(cookieDomain string) bool {
+	return cookieDomain == "" || cookieDomain == cs.host
+}

internal/server/cookie_scope_test.go

@@ -0,0 +1,157 @@
+package server
+
+import (
+	"net/http"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestCookieScope_ApplyToHeader(t *testing.T) {
+	tests := []struct {
+		name           string
+		pathPrefix     string
+		host           string
+		inputCookies   []string
+		expectedPaths  []string
+	}{
+		{
+			name:           "scopes cookie with root path",
+			pathPrefix:     "/api",
+			host:           "example.com",
+			inputCookies:   []string{"session=abc; Path=/"},
+			expectedPaths:  []string{"/api"},
+		},
+		{
+			name:           "scopes cookie with subpath",
+			pathPrefix:     "/api",
+			host:           "example.com",
+			inputCookies:   []string{"session=abc; Path=/admin"},
+			expectedPaths:  []string{"/api/admin"},
+		},
+		{
+			name:           "scopes cookie without path",
+			pathPrefix:     "/api",
+			host:           "example.com",
+			inputCookies:   []string{"session=abc"},
+			expectedPaths:  []string{"/api"},
+		},
+		{
+			name:           "scopes first-party cookie with matching domain",
+			pathPrefix:     "/api",
+			host:           "example.com",
+			inputCookies:   []string{"session=abc; Path=/; Domain=example.com"},
+			expectedPaths:  []string{"/api"},
+		},
+		{
+			name:           "does not scope third-party cookie",
+			pathPrefix:     "/api",
+			host:           "example.com",
+			inputCookies:   []string{"tracking=xyz; Path=/; Domain=other.com"},
+			expectedPaths:  []string{"/"},
+		},
+		{
+			name:           "handles multiple cookies",
+			pathPrefix:     "/app",
+			host:           "example.com",
+			inputCookies:   []string{"a=1; Path=/", "b=2; Path=/foo", "c=3; Path=/; Domain=third.com"},
+			expectedPaths:  []string{"/app", "/app/foo", "/"},
+		},
+		{
+			name:           "handles host with port",
+			pathPrefix:     "/api",
+			host:           "example.com:8080",
+			inputCookies:   []string{"session=abc; Path=/; Domain=example.com"},
+			expectedPaths:  []string{"/api"},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cs := NewCookieScope(tt.pathPrefix, tt.host)
+			header := http.Header{}
+			header["Set-Cookie"] = tt.inputCookies
+
+			cs.ApplyToHeader(header)
+
+			cookies := header["Set-Cookie"]
+			assert.Len(t, cookies, len(tt.expectedPaths))
+
+			for i, cookieStr := range cookies {
+				cookie, err := http.ParseSetCookie(cookieStr)
+				assert.NoError(t, err)
+				assert.Equal(t, tt.expectedPaths[i], cookie.Path, "cookie %d path mismatch", i)
+			}
+		})
+	}
+}
+
+func TestCookieScope_DomainMatching(t *testing.T) {
+	tests := []struct {
+		name         string
+		host         string
+		cookieDomain string
+		shouldScope  bool
+	}{
+		{
+			name:         "empty domain matches",
+			host:         "example.com",
+			cookieDomain: "",
+			shouldScope:  true,
+		},
+		{
+			name:         "exact domain match",
+			host:         "example.com",
+			cookieDomain: "example.com",
+			shouldScope:  true,
+		},
+		{
+			name:         "different domain does not match",
+			host:         "example.com",
+			cookieDomain: "other.com",
+			shouldScope:  false,
+		},
+		{
+			name:         "subdomain does not match parent",
+			host:         "example.com",
+			cookieDomain: "sub.example.com",
+			shouldScope:  false,
+		},
+		{
+			name:         "parent does not match subdomain host",
+			host:         "sub.example.com",
+			cookieDomain: "example.com",
+			shouldScope:  false,
+		},
+		{
+			name:         "host with port matches domain",
+			host:         "example.com:8080",
+			cookieDomain: "example.com",
+			shouldScope:  true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cs := NewCookieScope("/api", tt.host)
+
+			header := http.Header{}
+			if tt.cookieDomain == "" {
+				header["Set-Cookie"] = []string{"test=value; Path=/original"}
+			} else {
+				header["Set-Cookie"] = []string{"test=value; Path=/original; Domain=" + tt.cookieDomain}
+			}
+
+			cs.ApplyToHeader(header)
+
+			cookie, err := http.ParseSetCookie(header["Set-Cookie"][0])
+			assert.NoError(t, err)
+
+			if tt.shouldScope {
+				assert.Equal(t, "/api/original", cookie.Path)
+			} else {
+				assert.Equal(t, "/original", cookie.Path)
+			}
+		})
+	}
+}

internal/server/router_test.go

@@ -415,6 +415,109 @@ func TestRouter_RoutingMultipleHosts(t *testing.T) {
 	assert.Equal(t, "second", body)
 }
 
+func TestRouter_PathBasedRoutingCookiePrefixPrefix(t *testing.T) {
+	checkRequest := func(scopeCookiePaths bool, path string, expectedCookiePath string) {
+		router := testRouter(t)
+		_, backend1 := testBackendWithHandler(t, func(w http.ResponseWriter, r *http.Request) {
+			http.SetCookie(w, &http.Cookie{
+				Name:     "session",
+				Value:    "secret",
+				Path:     "/something",
+				HttpOnly: true,
+			})
+			w.WriteHeader(http.StatusOK)
+		})
+		_, backend2 := testBackendWithHandler(t, func(w http.ResponseWriter, r *http.Request) {
+			http.SetCookie(w, &http.Cookie{
+				Name:     "session",
+				Value:    "secret",
+				Path:     "/",
+				HttpOnly: true,
+			})
+			w.WriteHeader(http.StatusOK)
+		})
+
+		serviceOptions := defaultServiceOptions
+		serviceOptions.StripPrefix = true
+		targetOptions := defaultTargetOptions
+		targetOptions.ScopeCookiePaths = scopeCookiePaths
+
+		serviceOptions.PathPrefixes = []string{"/api", "/app"}
+		require.NoError(t, router.DeployService("service1", []string{backend1}, defaultEmptyReaders, serviceOptions, targetOptions, DefaultDeployTimeout, DefaultDrainTimeout))
+		serviceOptions.PathPrefixes = []string{"/chat"}
+		require.NoError(t, router.DeployService("service2", []string{backend2}, defaultEmptyReaders, serviceOptions, targetOptions, DefaultDeployTimeout, DefaultDrainTimeout))
+
+		req := httptest.NewRequest(http.MethodGet, path, nil)
+		w := httptest.NewRecorder()
+		router.ServeHTTP(w, req)
+		require.Equal(t, http.StatusOK, w.Result().StatusCode)
+		require.Len(t, w.Result().Cookies(), 1)
+
+		cookie := w.Result().Cookies()[0]
+		assert.Equal(t, expectedCookiePath, cookie.Path)
+	}
+
+	checkRequest(true, "/app", "/app/something")
+	checkRequest(true, "/api", "/api/something")
+	checkRequest(false, "/app", "/something")
+	checkRequest(false, "/api", "/something")
+
+	checkRequest(true, "/chat", "/chat")
+	checkRequest(false, "/chat", "/")
+}
+
+func TestRouter_PathBasedRoutingCookiePrefixThirdPartyDomain(t *testing.T) {
+	router := testRouter(t)
+	_, backend := testBackendWithHandler(t, func(w http.ResponseWriter, r *http.Request) {
+		http.SetCookie(w, &http.Cookie{
+			Name:   "first_party",
+			Value:  "value1",
+			Path:   "/original",
+			Domain: "example.com",
+		})
+		http.SetCookie(w, &http.Cookie{
+			Name:   "third_party",
+			Value:  "value2",
+			Path:   "/original",
+			Domain: "other.com",
+		})
+		http.SetCookie(w, &http.Cookie{
+			Name:  "no_domain",
+			Value: "value3",
+			Path:  "/original",
+		})
+		w.WriteHeader(http.StatusOK)
+	})
+
+	serviceOptions := defaultServiceOptions
+	serviceOptions.StripPrefix = true
+	serviceOptions.PathPrefixes = []string{"/api"}
+	targetOptions := defaultTargetOptions
+	targetOptions.ScopeCookiePaths = true
+
+	require.NoError(t, router.DeployService("service", []string{backend}, defaultEmptyReaders, serviceOptions, targetOptions, DefaultDeployTimeout, DefaultDrainTimeout))
+
+	req := httptest.NewRequest(http.MethodGet, "http://example.com/api/test", nil)
+	w := httptest.NewRecorder()
+	router.ServeHTTP(w, req)
+	require.Equal(t, http.StatusOK, w.Result().StatusCode)
+	require.Len(t, w.Result().Cookies(), 3)
+
+	cookies := w.Result().Cookies()
+
+	// First-party cookie (domain matches request host) should be scoped
+	assert.Equal(t, "first_party", cookies[0].Name)
+	assert.Equal(t, "/api/original", cookies[0].Path)
+
+	// Third-party cookie (domain doesn't match) should NOT be scoped
+	assert.Equal(t, "third_party", cookies[1].Name)
+	assert.Equal(t, "/original", cookies[1].Path)
+
+	// Cookie without domain should be scoped
+	assert.Equal(t, "no_domain", cookies[2].Name)
+	assert.Equal(t, "/api/original", cookies[2].Path)
+}
+
 func TestRouter_PathBasedRoutingStripPrefix(t *testing.T) {
 	router := testRouter(t)
 	_, backend := testBackendWithHandler(t, func(w http.ResponseWriter, r *http.Request) {