首页 发现 帮助
登录
mirrors
/
wikijs
镜像自地址 https://github.com/Requarks/wiki.git
2
0
派生 0
文件 工单管理 0 Wiki
浏览代码

fix: enable passport-azure-ad workaround for SameSite cookies (#2567)

This adds cookieEncryptionKeyString configuration in the Azure AD
authentication module.  It represents an array of cookie encryption
strings and enables workaround for SameSite cookies.
YAEGASHI Takeshi 4 年之前
父节点
a6bf2412d7
当前提交
a3513b1bdf
共有 2 个文件被更改,包括 22 次插入2 次删除
合并视图 显示文件统计
  1. 17 1
      server/modules/authentication/azure/authentication.js
  2. 5 1
      server/modules/authentication/azure/definition.yml

+ 17 - 1
server/modules/authentication/azure/authentication.js
查看文件 

@@ -10,6 +10,19 @@ const OIDCStrategy = require('passport-azure-ad').OIDCStrategy
 
 
 
 module.exports = {
 
 module.exports = {
 
   init (passport, conf) {
 
   init (passport, conf) {
 
+    // Workaround for Chrome's SameSite cookies
 
+    // cookieSameSite needs useCookieInsteadOfSession to work correctly.
 
+    // cookieEncryptionKeys is extracted from conf.cookieEncryptionKeyString.
 
+    // It's a concatnation of 44-character length strings each of which represents a single pair of key/iv.
 
+    // Valid cookieEncryptionKeys enables both cookieSameSite and useCookieInsteadOfSession.
 
+    const keyArray = [];
 
+    if (conf.cookieEncryptionKeyString) {
 
+      let keyString = conf.cookieEncryptionKeyString;
 
+      while (keyString.length >= 44) {
 
+        keyArray.push({ key: keyString.substring(0, 32), iv: keyString.substring(32, 44) });
 
+        keyString = keyString.substring(44);
 
+      }
 
+    }
 
     passport.use('azure',
 
     passport.use('azure',
 
       new OIDCStrategy({
 
       new OIDCStrategy({
 
         identityMetadata: conf.entryPoint,
 
         identityMetadata: conf.entryPoint,
 
@@ -19,7 +32,10 @@ module.exports = {
 
         responseMode: 'form_post',
 
         responseMode: 'form_post',
 
         scope: ['profile', 'email', 'openid'],
 
         scope: ['profile', 'email', 'openid'],
 
         allowHttpForRedirectUrl: WIKI.IS_DEBUG,
 
         allowHttpForRedirectUrl: WIKI.IS_DEBUG,
 
-        passReqToCallback: true
 
+        passReqToCallback: true,
 
+        cookieSameSite: keyArray.length > 0,
 
+        useCookieInsteadOfSession: keyArray.length > 0,
 
+        cookieEncryptionKeys: keyArray
 
       }, async (req, iss, sub, profile, cb) => {
 
       }, async (req, iss, sub, profile, cb) => {
 
         const usrEmail = _.get(profile, '_json.email', null) || _.get(profile, '_json.preferred_username')
 
         const usrEmail = _.get(profile, '_json.email', null) || _.get(profile, '_json.preferred_username')
 
         try {
 
         try {

+ 5 - 1
server/modules/authentication/azure/definition.yml
查看文件 

@@ -22,4 +22,8 @@ props:
 
     title: Client ID
 
     title: Client ID
 
     hint: The client ID of your application in AAD (Azure Active Directory)
 
     hint: The client ID of your application in AAD (Azure Active Directory)
 
     order: 2
 
     order: 2
 
-
 
+  cookieEncryptionKeyString:
 
+    type: String
 
+    title: Cookie Encryption Key String
 
+    hint: Random string with 44-character length.  Setting this enables workaround for Chrome's SameSite cookies.
 
+    order: 3