Set cookie to expire after logon

Author: MarcialRosales

deps/rabbitmq_management/src/rabbit_mgmt_login.erl

@@ -10,17 +10,31 @@
 -export([init/2]).
 
 -include_lib("rabbitmq_management_agent/include/rabbit_mgmt_records.hrl").
+-include("rabbit_mgmt.hrl").
+
 %%--------------------------------------------------------------------
 
 init(Req0, State) ->
   login(cowboy_req:method(Req0), Req0, State).
 
-login(<<"POST">>, Req0, State) ->
+login(<<"POST">>, Req0=#{scheme := Scheme}, State) ->
     {ok, Body, _} = cowboy_req:read_urlencoded_body(Req0),
     AccessToken = proplists:get_value(<<"access_token">>, Body),
     case rabbit_mgmt_util:is_authorized_user(Req0, #context{}, <<"">>, AccessToken, false) of
         {true, Req1, _} ->     
-            SetCookie = cowboy_req:set_resp_cookie(?OAUTH2_ACCESS_TOKEN_COOKIE, AccessToken, Req1),    
+            CookieSettings = #{
+                http_only => true,
+                path => "/js/oidc-oauth/bootstrap.js",
+                max_age => 30,
+                expires => os:system_time(millisecond) + 30000,
+                same_site => strict
+            },          
+            rabbit_log:debug("Setting access_token in cookie: ~p", [AccessToken]),
+            SetCookie = cowboy_req:set_resp_cookie(?OAUTH2_ACCESS_TOKEN_COOKIE, AccessToken, Req1,
+                case Scheme of 
+                    <<"https">> -> CookieSettings#{ secure => true};
+                    _ -> CookieSettings
+                end),    
             Home = cowboy_req:uri(SetCookie, #{
                 path => rabbit_mgmt_util:get_path_prefix() ++ "/"
             }),

deps/rabbitmq_management/src/rabbit_mgmt_oauth_bootstrap.erl

@@ -8,6 +8,7 @@
 -module(rabbit_mgmt_oauth_bootstrap).
 
 -export([init/2]).
+-include("rabbit_mgmt.hrl").
 
 %%--------------------------------------------------------------------
 
@@ -34,17 +35,27 @@ set_oauth_settings(AuthSettings) ->
 set_token_auth(AuthSettings, Req0) ->
     case proplists:get_value(oauth_enabled, AuthSettings, false) of
         true ->
-            case cowboy_req:parse_header(<<"Authorization">>, Req0) of
-                {bearer, Token} -> {
+            case cowboy_req:parse_header(<<"authorization">>, Req0) of
+                {bearer, Token} -> 
+                    rabbit_log:debug("Request contained token in authorization header"),
+                    {
                         Req0, 
                         ["set_token_auth('", Token, "');"]
                     };
                 _ -> 
                     Cookies = cowboy_req:parse_cookies(Req0),
                     case lists:keyfind(?OAUTH2_ACCESS_TOKEN_COOKIE, 1, Cookies) of 
-                        {_, Token} -> {
+                        {_, Token} -> 
+                            rabbit_log:debug("Request contained token in cookie: ~p", [Token]),
+                            {
                                 cowboy_req:set_resp_cookie(
-                                    ?OAUTH2_ACCESS_TOKEN_COOKIE, <<>>, Req0, #{max_age => 0}), 
+                                    ?OAUTH2_ACCESS_TOKEN_COOKIE, <<"">>, Req0, #{
+                                        max_age => 0,
+                                        expires => os:system_time(millisecond) - 30000,
+                                        http_only => true,
+                                        path => "/js/oidc-oauth/bootstrap.js",
+                                        same_site => strict
+                                    }), 
                                 ["set_token_auth('", Token, "');"]
                             };
                         false -> {