fix: enable passport-azure-ad workaround for SameSite cookies (#2567)

This adds cookieEncryptionKeyString configuration in the Azure AD authentication module. It represents an array of cookie encryption strings and enables workaround for SameSite cookies.

fix: enable passport-azure-ad workaround for SameSite cookies (#2567)
This adds cookieEncryptionKeyString configuration in the Azure AD authentication module. It represents an array of cookie encryption strings and enables workaround for SameSite cookies.
a3513b1b · YAEGASHI Takeshi · GitHub · a6bf2412 · a3513b1b · a3513b1b
Unverified Commit a3513b1b authored 4 years ago by YAEGASHI Takeshi Committed by GitHub 4 years ago
--- a/server/modules/authentication/azure/authentication.js
+++ b/server/modules/authentication/azure/authentication.js
@@ -10,6 +10,19 @@ const OIDCStrategy = require('passport-azure-ad').OIDCStrategy

 module.exports = {
  init (passport, conf) {
+    // Workaround for Chrome's SameSite cookies
+    // cookieSameSite needs useCookieInsteadOfSession to work correctly.
+    // cookieEncryptionKeys is extracted from conf.cookieEncryptionKeyString.
+    // It's a concatnation of 44-character length strings each of which represents a single pair of key/iv.
+    // Valid cookieEncryptionKeys enables both cookieSameSite and useCookieInsteadOfSession.
+    const keyArray = [];
+    if (conf.cookieEncryptionKeyString) {
+      let keyString = conf.cookieEncryptionKeyString;
+      while (keyString.length >= 44) {
+        keyArray.push({ key: keyString.substring(0, 32), iv: keyString.substring(32, 44) });
+        keyString = keyString.substring(44);
+      }
+    }
    passport.use('azure',
      new OIDCStrategy({
        identityMetadata: conf.entryPoint,
@@ -19,7 +32,10 @@ module.exports = {
        responseMode: 'form_post',
        scope: ['profile', 'email', 'openid'],
        allowHttpForRedirectUrl: WIKI.IS_DEBUG,
-        passReqToCallback: true
+        passReqToCallback: true,
+        cookieSameSite: keyArray.length > 0,
+        useCookieInsteadOfSession: keyArray.length > 0,
+        cookieEncryptionKeys: keyArray
      }, async (req, iss, sub, profile, cb) => {
        const usrEmail = _.get(profile, '_json.email', null) || _.get(profile, '_json.preferred_username')
        try {

--- a/server/modules/authentication/azure/definition.yml
+++ b/server/modules/authentication/azure/definition.yml
@@ -22,4 +22,8 @@ props:
    title: Client ID
    hint: The client ID of your application in AAD (Azure Active Directory)
    order: 2
-
+  cookieEncryptionKeyString:
+    type: String
+    title: Cookie Encryption Key String
+    hint: Random string with 44-character length.  Setting this enables workaround for Chrome's SameSite cookies.
+    order: 3