Merge pull request #48565 from ikorennoy/korennoy/form_auth_cookie_domain

Support Form Auth cookie domain property

Author: sberyozkin

extensions/security-webauthn/runtime/src/main/java/io/quarkus/security/webauthn/WebAuthnRecorder.java

@@ -79,7 +79,7 @@ public WebAuthnAuthenticationMechanism get() {
                         config.sessionTimeout().toMillis(),
                         config.newCookieInterval().toMillis(), false, config.cookieSameSite().name(),
                         config.cookiePath().orElse(null),
-                        config.cookieMaxAge().map(Duration::toSeconds).orElse(-1L));
+                        config.cookieMaxAge().map(Duration::toSeconds).orElse(-1L), null);
                 String loginPage = config.loginPage().startsWith("/") ? config.loginPage() : "/" + config.loginPage();
                 return new WebAuthnAuthenticationMechanism(loginManager, loginPage);
             }

extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/FormAuthRuntimeConfig.java

@@ -106,6 +106,11 @@ enum CookieSameSite {
     @WithDefault("/")
     Optional<String> cookiePath();
 
+    /**
+     * Cookie domain parameter value which, if set, will be used for the session and location cookies.
+     */
+    Optional<String> cookieDomain();
+
     /**
      * Set the HttpOnly attribute to prevent access to the cookie via JavaScript.
      */

extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/security/FormAuthenticationMechanism.java

@@ -65,6 +65,7 @@ public class FormAuthenticationMechanism implements HttpAuthenticationMechanism
     private final boolean redirectToLoginPage;
     private final CookieSameSite cookieSameSite;
     private final String cookiePath;
+    private final String cookieDomain;
     private final boolean isFormAuthEventObserver;
     private final PersistentLoginManager loginManager;
     private final Event<FormAuthenticationEvent> formAuthEvent;
@@ -97,7 +98,8 @@ public class FormAuthenticationMechanism implements HttpAuthenticationMechanism
         FormAuthRuntimeConfig runtimeForm = httpConfig.auth().form();
         this.loginManager = new PersistentLoginManager(key, runtimeForm.cookieName(), runtimeForm.timeout().toMillis(),
                 runtimeForm.newCookieInterval().toMillis(), runtimeForm.httpOnlyCookie(), runtimeForm.cookieSameSite().name(),
-                runtimeForm.cookiePath().orElse(null), runtimeForm.cookieMaxAge().map(Duration::toSeconds).orElse(-1L));
+                runtimeForm.cookiePath().orElse(null), runtimeForm.cookieMaxAge().map(Duration::toSeconds).orElse(-1L),
+                runtimeForm.cookieDomain().orElse(null));
         this.loginPage = startWithSlash(runtimeForm.loginPage().orElse(null));
         this.errorPage = startWithSlash(runtimeForm.errorPage().orElse(null));
         this.landingPage = startWithSlash(runtimeForm.landingPage().orElse(null));
@@ -106,6 +108,7 @@ public class FormAuthenticationMechanism implements HttpAuthenticationMechanism
         this.passwordParameter = runtimeForm.passwordParameter();
         this.locationCookie = runtimeForm.locationCookie();
         this.cookiePath = runtimeForm.cookiePath().orElse(null);
+        this.cookieDomain = runtimeForm.cookieDomain().orElse(null);
         boolean redirectAfterLogin = runtimeForm.redirectAfterLogin();
         this.redirectToLandingPage = landingPage != null && redirectAfterLogin;
         this.redirectToLoginPage = loginPage != null;
@@ -119,7 +122,7 @@ public class FormAuthenticationMechanism implements HttpAuthenticationMechanism
     public FormAuthenticationMechanism(String loginPage, String postLocation,
             String usernameParameter, String passwordParameter, String errorPage, String landingPage,
             boolean redirectAfterLogin, String locationCookie, String cookieSameSite, String cookiePath,
-            PersistentLoginManager loginManager) {
+            String cookieDomain, PersistentLoginManager loginManager) {
         this.loginPage = loginPage;
         this.postLocation = postLocation;
         this.usernameParameter = usernameParameter;
@@ -132,6 +135,7 @@ public FormAuthenticationMechanism(String loginPage, String postLocation,
         this.redirectToErrorPage = errorPage != null;
         this.cookieSameSite = CookieSameSite.valueOf(cookieSameSite);
         this.cookiePath = cookiePath;
+        this.cookieDomain = cookieDomain;
         this.loginManager = loginManager;
         this.isFormAuthEventObserver = false;
         this.formAuthEvent = null;
@@ -239,8 +243,12 @@ protected void verifyRedirectBackLocation(String requestURIString, String redire
     }
 
     protected void storeInitialLocation(final RoutingContext exchange) {
-        exchange.response().addCookie(Cookie.cookie(locationCookie, exchange.request().absoluteURI())
-                .setPath(cookiePath).setSameSite(cookieSameSite).setSecure(exchange.request().isSSL()));
+        Cookie cookie = Cookie.cookie(locationCookie, exchange.request().absoluteURI())
+                .setPath(cookiePath).setSameSite(cookieSameSite).setSecure(exchange.request().isSSL());
+        if (cookieDomain != null) {
+            cookie.setDomain(cookieDomain);
+        }
+        exchange.response().addCookie(cookie);
     }
 
     protected void servePage(final RoutingContext exchange, final String location) {

extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/security/PersistentLoginManager.java

@@ -40,16 +40,18 @@ public class PersistentLoginManager {
     private final CookieSameSite cookieSameSite;
     private final String cookiePath;
     private final long maxAgeSeconds;
+    private final String cookieDomain;
 
     public PersistentLoginManager(String encryptionKey, String cookieName, long timeoutMillis, long newCookieIntervalMillis,
-            boolean httpOnlyCookie, String cookieSameSite, String cookiePath, long maxAgeSeconds) {
+            boolean httpOnlyCookie, String cookieSameSite, String cookiePath, long maxAgeSeconds, String cookieDomain) {
         this.cookieName = cookieName;
         this.newCookieIntervalMillis = newCookieIntervalMillis;
         this.timeoutMillis = timeoutMillis;
         this.httpOnlyCookie = httpOnlyCookie;
         this.cookieSameSite = CookieSameSite.valueOf(cookieSameSite);
         this.cookiePath = cookiePath;
         this.maxAgeSeconds = maxAgeSeconds;
+        this.cookieDomain = cookieDomain;
         try {
             if (encryptionKey == null) {
                 this.secretKey = KeyGenerator.getInstance("AES").generateKey();
@@ -150,6 +152,9 @@ public void save(String value, RoutingContext context, String cookieName, Restor
             if (maxAgeSeconds >= 0) {
                 cookie.setMaxAge(maxAgeSeconds);
             }
+            if (cookieDomain != null) {
+                cookie.setDomain(cookieDomain);
+            }
             context.addCookie(cookie);
         } catch (Exception e) {
             throw new RuntimeException(e);