fix(rbac): Fix cross domain cookie for redirect_to, to work with saml login

## 📝 Description
<!-- Describe your changes in detail -->

## ✅ Checklist
- [ ] I have tested this change
- [ ] This change requires documentation update

Author: VeljkoMaksimovic

ee/rbac/lib/rbac/utils/http.ex

@@ -5,31 +5,12 @@ defmodule Rbac.Utils.Http do
   @state_cookie_options [
     encrypt: true,
     max_age: 30 * 60,
-    # If `same_site` is set to `Strict` then the cookie will not be sent on
-    # IdP callback redirects, which will break the auth flow.
-    same_site: "Lax",
+    same_site: "Strict",
+    path: "/",
     secure: true,
     http_only: true
   ]
 
-  def store_redirect_info(conn) do
-    [
-      conn.query_params["redirect_path"],
-      conn.query_params["redirect_to"]
-    ]
-    |> Enum.filter(fn item -> item not in [nil, ""] end)
-    |> List.last("")
-    |> URI.decode()
-    |> validate_url("")
-    |> case do
-      "" ->
-        conn
-
-      url ->
-        conn |> put_state_value(@redirect_cookie_key, url)
-    end
-  end
-
   def fetch_redirect_value(conn, default) do
     case conn |> fetch_state_value(@redirect_cookie_key) do
       {:ok, redirect_to, _conn} ->
@@ -44,14 +25,6 @@ defmodule Rbac.Utils.Http do
     delete_state_value(conn, @redirect_cookie_key)
   end
 
-  def put_state_value(conn, key, value) do
-    Logger.debug("Putting state value into cookie for key: #{key}")
-
-    value = :erlang.term_to_binary(value)
-
-    Plug.Conn.put_resp_cookie(conn, key, value, @state_cookie_options)
-  end
-
   def delete_state_value(conn, key) do
     Logger.debug("Deleting state value from cookie for key: #{key}")
 

guard/lib/guard/utils.ex

@@ -137,9 +137,8 @@ defmodule Guard.Utils.Http do
   @state_cookie_options [
     encrypt: true,
     max_age: 30 * 60,
-    # If `same_site` is set to `Strict` then the cookie will not be sent on
-    # IdP callback redirects, which will break the auth flow.
-    same_site: "Lax",
+    same_site: "Strict",
+    path: "/",
     secure: true,
     http_only: true
   ]
@@ -159,9 +158,7 @@ defmodule Guard.Utils.Http do
     end
   end
 
-  def store_redirect_info(conn, url) do
-    conn |> put_state_value(@redirect_cookie_key, url)
-  end
+  def store_redirect_info(conn, url), do: conn |> put_state_value(@redirect_cookie_key, url)
 
   def fetch_redirect_value(conn, default) do
     case conn |> fetch_state_value(@redirect_cookie_key) do
@@ -182,7 +179,19 @@ defmodule Guard.Utils.Http do
 
     value = :erlang.term_to_binary(value)
 
-    Plug.Conn.put_resp_cookie(conn, key, value, @state_cookie_options)
+    opts =
+      if key == @redirect_cookie_key do
+        # If `same_site` is set to `Strict` then the cookie will not be sent on
+        # IdP callback redirects, which will break the auth flow.
+        Keyword.merge(@state_cookie_options,
+          same_site: "None",
+          domain: "." <> domain()
+        )
+      else
+        @state_cookie_options
+      end
+
+    Plug.Conn.put_resp_cookie(conn, key, value, opts)
   end
 
   def delete_state_value(conn, key) do

guard/test/guard/id/api_test.exs

@@ -329,7 +329,11 @@ defmodule Guard.Id.Api.Test do
       assert response.status_code == 200
 
       {_, cookie} = List.keyfind(response.headers, "set-cookie", 0)
+
       assert cookie =~ "semaphore_redirect_to="
+      assert cookie =~ "domain=.localhost"
+      assert cookie =~ "path=/"
+      assert cookie =~ "SameSite=None"
     end
 
     test "redirect_to query param present, redirects to valid domain only" do
@@ -472,7 +476,7 @@ defmodule Guard.Id.Api.Test do
       {_, cookie} = Enum.find(response.headers, fn h -> elem(h, 0) == "set-cookie" end)
 
       assert cookie =~ "semaphore_auth_state="
-      assert cookie =~ "secure; HttpOnly; SameSite=Lax"
+      assert cookie =~ "secure; HttpOnly; SameSite=Strict"
 
       assert response.body =~ "/protocol/openid-connect/auth"
       assert response.body =~ "localhost"