add support for cross-site cookies (#1)

mrobers1982 · mrobers1982 · commit a56db643da6b · 2025-03-07T08:53:06.000-08:00
diff --git a/coderd/apikey.go b/coderd/apikey.go
@@ -387,7 +387,7 @@ func (api *API) createAPIKey(ctx context.Context, params apikey.CreateParams) (*
 		Value:    sessionToken,
 		Path:     "/",
 		HttpOnly: true,
-		SameSite: http.SameSiteLaxMode,
-		Secure:   api.SecureAuthCookie,
+		SameSite: http.SameSiteNoneMode,
+		Secure:   true,
 	}, &newkey, nil
 }
diff --git a/coderd/httpmw/csrf.go b/coderd/httpmw/csrf.go
@@ -19,7 +19,7 @@ import (
 func CSRF(secureCookie bool) func(next http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		mw := nosurf.New(next)
-		mw.SetBaseCookie(http.Cookie{Path: "/", HttpOnly: true, SameSite: http.SameSiteLaxMode, Secure: secureCookie})
+		mw.SetBaseCookie(http.Cookie{Path: "/", HttpOnly: true, SameSite: http.SameSiteNoneMode, Secure: true})
 		mw.SetFailureHandler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			sessCookie, err := r.Cookie(codersdk.SessionTokenCookie)
 			if err == nil &&
diff --git a/coderd/httpmw/oauth2.go b/coderd/httpmw/oauth2.go
@@ -123,7 +123,8 @@ func ExtractOAuth2(config promoauth.OAuth2Config, client *http.Client, authURLOp
 					Value:    state,
 					Path:     "/",
 					HttpOnly: true,
-					SameSite: http.SameSiteLaxMode,
+					SameSite: http.SameSiteNoneMode,
+					Secure:   true,
 				})
 				// Redirect must always be specified, otherwise
 				// an old redirect could apply!
@@ -132,7 +133,8 @@ func ExtractOAuth2(config promoauth.OAuth2Config, client *http.Client, authURLOp
 					Value:    redirect,
 					Path:     "/",
 					HttpOnly: true,
-					SameSite: http.SameSiteLaxMode,
+					SameSite: http.SameSiteNoneMode,
+					Secure:   true,
 				})
 
 				http.Redirect(rw, r, config.AuthCodeURL(state, opts...), http.StatusTemporaryRedirect)
diff --git a/coderd/userauth.go b/coderd/userauth.go
@@ -203,11 +203,11 @@ func (api *API) postConvertLoginType(rw http.ResponseWriter, r *http.Request) {
 		Path:     "/",
 		Value:    token,
 		Expires:  claims.Expiry.Time(),
-		Secure:   api.SecureAuthCookie,
+		Secure:   true,
 		HttpOnly: true,
 		// Must be SameSite to work on the redirected auth flow from the
 		// oauth provider.
-		SameSite: http.SameSiteLaxMode,
+		SameSite: http.SameSiteNoneMode,
 	})
 	httpapi.Write(ctx, rw, http.StatusCreated, codersdk.OAuthConversionResponse{
 		StateString: stateString,
