Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a cookie-csrf-per-request-limit attribute #2615

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Add a cookie-csrf-per-request-limit attribute #2615

wants to merge 4 commits into from

Conversation

bh-tt
Copy link

@bh-tt bh-tt commented Apr 23, 2024
edited

Description

This PR adds the option for a limit in the number of per-request CSRF cookies oauth2-proxy sets. During the doOAuthStart method we call this method in order to remove the oldest cookies.

Motivation and Context

See #2383

How Has This Been Tested?

Using a unit test, I ran go test ./pgk/cookies

Checklist:

  • My change requires a change to the documentation or CHANGELOG.
  • I have updated the documentation/CHANGELOG accordingly.
  • I have created a feature (non-master) branch for my PR.
  • I have written tests for my code changes.

@bh-tt bh-tt marked this pull request as ready for review April 23, 2024 15:08
@bh-tt bh-tt requested a review from a team as a code owner April 23, 2024 15:08
@github-actions github-actions bot added the docs label Apr 23, 2024
bh-tt
bh-tt commented Apr 24, 2024
View reviewed changes
Copy link
Author

@bh-tt bh-tt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Few points I'd like some feedback on.

pkg/apis/options/cookie.go
SameSite string `flag:"cookie-samesite" cfg:"cookie_samesite"`
CSRFPerRequest bool `flag:"cookie-csrf-per-request" cfg:"cookie_csrf_per_request"`
CSRFExpire time.Duration `flag:"cookie-csrf-expire" cfg:"cookie_csrf_expire"`
CSRFPerRequestLimit int `flag:"cookie-csrf-per-request-limit" cfg:"cookie_csrf_per_request_limit"`
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this enough to add the flag to config values?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And how can i configure a default of say 2^32-1?

pkg/cookies/csrf.go
csrf := &csrf{cookieOpts: opts}
clock := clock.Clock{}
clock.Set(t)
csrf := &csrf{cookieOpts: opts, time: clock}
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This clock.Clock used to be only used for tests I think so I'm not sure what the impact of setting it here is?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
docs go tests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@bh-tt