CBG-4962 create cookie with SameSite=None if CORS enabled

auth/session.go

@@ -135,7 +135,7 @@ func (auth *Authenticator) GetSession(sessionID string) (*LoginSession, error) {
 	return &session, nil
 }
 
-func (auth *Authenticator) MakeSessionCookie(session *LoginSession, secureCookie bool, httpOnly bool) *http.Cookie {
+func (auth *Authenticator) MakeSessionCookie(session *LoginSession, secureCookie bool, httpOnly bool, sameSite http.SameSite) *http.Cookie {
 	if session == nil {
 		return nil
 	}
@@ -145,6 +145,7 @@ func (auth *Authenticator) MakeSessionCookie(session *LoginSession, secureCookie
 		Expires:  session.Expiration,
 		Secure:   secureCookie,
 		HttpOnly: httpOnly,
+		SameSite: sameSite,
 	}
 }
 

auth/session_test.go

@@ -116,14 +116,14 @@ func TestMakeSessionCookie(t *testing.T) {
 		Ttl:        24 * time.Hour,
 	}
 
-	cookie := auth.MakeSessionCookie(mockSession, false, false)
+	cookie := auth.MakeSessionCookie(mockSession, false, false, http.SameSiteDefaultMode)
 	assert.Equal(t, DefaultCookieName, cookie.Name)
 	assert.Equal(t, sessionID, cookie.Value)
 	assert.NotEmpty(t, cookie.Expires)
 
 	// Cookies should not be created with uninitialized session
 	mockSession = nil
-	cookie = auth.MakeSessionCookie(mockSession, false, false)
+	cookie = auth.MakeSessionCookie(mockSession, false, false, http.SameSiteDefaultMode)
 	assert.Empty(t, cookie)
 }
 
@@ -143,16 +143,16 @@ func TestMakeSessionCookieProperties(t *testing.T) {
 		Ttl:        24 * time.Hour,
 	}
 
-	unsecuredCookie := auth.MakeSessionCookie(mockSession, false, false)
+	unsecuredCookie := auth.MakeSessionCookie(mockSession, false, false, http.SameSiteDefaultMode)
 	assert.False(t, unsecuredCookie.Secure)
 
-	securedCookie := auth.MakeSessionCookie(mockSession, true, false)
+	securedCookie := auth.MakeSessionCookie(mockSession, true, false, http.SameSiteDefaultMode)
 	assert.True(t, securedCookie.Secure)
 
-	httpOnlyFalseCookie := auth.MakeSessionCookie(mockSession, false, false)
+	httpOnlyFalseCookie := auth.MakeSessionCookie(mockSession, false, false, http.SameSiteDefaultMode)
 	assert.False(t, httpOnlyFalseCookie.HttpOnly)
 
-	httpOnlyCookie := auth.MakeSessionCookie(mockSession, false, true)
+	httpOnlyCookie := auth.MakeSessionCookie(mockSession, false, true, http.SameSiteDefaultMode)
 	assert.True(t, httpOnlyCookie.HttpOnly)
 }
 
@@ -248,7 +248,7 @@ func TestCreateSessionChangePassword(t *testing.T) {
 
 			request, err := http.NewRequest(http.MethodGet, "", nil)
 			require.NoError(t, err)
-			request.AddCookie(auth.MakeSessionCookie(session, true, true))
+			request.AddCookie(auth.MakeSessionCookie(session, true, true, http.SameSiteDefaultMode))
 
 			recorder := httptest.NewRecorder()
 			_, err = auth.AuthenticateCookie(request, recorder)
@@ -304,7 +304,7 @@ func TestUserWithoutSessionUUID(t *testing.T) {
 
 	request, err := http.NewRequest(http.MethodGet, "", nil)
 	require.NoError(t, err)
-	request.AddCookie(auth.MakeSessionCookie(session, true, true))
+	request.AddCookie(auth.MakeSessionCookie(session, true, true, http.SameSiteDefaultMode))
 
 	recorder := httptest.NewRecorder()
 	_, err = auth.AuthenticateCookie(request, recorder)
@@ -334,7 +334,7 @@ func TestUserDeleteAllSessions(t *testing.T) {
 
 	request, err := http.NewRequest(http.MethodGet, "", nil)
 	require.NoError(t, err)
-	request.AddCookie(auth.MakeSessionCookie(session, true, true))
+	request.AddCookie(auth.MakeSessionCookie(session, true, true, http.SameSiteDefaultMode))
 	recorder := httptest.NewRecorder()
 
 	_, err = auth.AuthenticateCookie(request, recorder)

rest/cors_test.go

@@ -457,6 +457,7 @@ func TestCORSLoginOriginPerDatabase(t *testing.T) {
 				cookie, err := http.ParseSetCookie(resp.Header().Get("Set-Cookie"))
 				require.NoError(t, err)
 				require.NotEmpty(t, cookie.Path)
+				require.Equal(t, http.SameSiteNoneMode, cookie.SameSite)
 				reqHeaders["Cookie"] = fmt.Sprintf("%s=%s", cookie.Name, cookie.Value)
 			}
 			resp = rt.SendRequestWithHeaders(http.MethodDelete, "/{{.db}}/_session", "", reqHeaders)

rest/session_api.go

@@ -125,7 +125,11 @@ func (h *handler) makeSessionWithTTL(user auth.User, expiry time.Duration) (sess
 	if err != nil {
 		return "", err
 	}
-	cookie := auth.MakeSessionCookie(session, h.db.Options.SecureCookieOverride, h.db.Options.SessionCookieHttpOnly)
+	sameSite := http.SameSiteDefaultMode
+	if !h.getCORSConfig().IsEmpty() {
+		sameSite = http.SameSiteNoneMode
+	}
+	cookie := auth.MakeSessionCookie(session, h.db.Options.SecureCookieOverride, h.db.Options.SessionCookieHttpOnly, sameSite)
 	base.AddDbPathToCookie(h.rq, cookie)
 	http.SetCookie(h.response, cookie)
 	return session.ID, nil

rest/session_test.go

@@ -37,6 +37,15 @@ func TestCORSLoginOriginOnSessionPost(t *testing.T) {
 
 	response = rt.SendRequestWithHeaders("POST", "/db/_facebook", `{"access_token":"true"}`, reqHeaders)
 	assertGatewayStatus(t, response, 401)
+
+	const username = "alice"
+	rt.CreateUser(username, []string{"*"})
+
+	response = rt.SendUserRequest(http.MethodPost, "/{{.db}}/_session", "", username)
+	RequireStatus(t, response, http.StatusOK)
+	cookie, err := http.ParseSetCookie(response.Header().Get("Set-Cookie"))
+	require.NoError(t, err)
+	require.Equal(t, cookie.SameSite, http.SameSiteNoneMode)
 }
 
 // #issue 991
@@ -53,6 +62,15 @@ func TestCORSLoginOriginOnSessionPostNoCORSConfig(t *testing.T) {
 
 	response := rt.SendRequestWithHeaders("POST", "/db/_session", `{"name":"jchris","password":"secret"}`, reqHeaders)
 	RequireStatus(t, response, 400)
+
+	const username = "alice"
+	rt.CreateUser(username, []string{"*"})
+
+	response = rt.SendUserRequest(http.MethodPost, "/{{.db}}/_session", "", username)
+	RequireStatus(t, response, http.StatusOK)
+	cookie, err := http.ParseSetCookie(response.Header().Get("Set-Cookie"))
+	require.NoError(t, err)
+	require.NotContains(t, cookie.String(), "SameSite")
 }
 
 func TestNoCORSOriginOnSessionPost(t *testing.T) {