search

FIRST-Tech-Challenge / fmltc

FIRST Machine Learning Toolchain
Other
38 stars 14 forks source link

Configurable secure session cookies #172

Closed cmacfarl closed 2 years ago

cmacfarl commented 2 years ago

Add a config item to allow for turning off secure session cookies. We leave secure cookies on by default. This fixes oidc login on local development environments that are running on 127.0.0.1 that would otherwise run into CSRF token denials caused by #156

lizlooney commented 2 years ago

If the denials were caused by #156 then you don't need to change SESSION_COOKIE_SECURE. #156 only changed Lax to Strict.

github-actions[bot] commented 2 years ago

Terraform plan Succeeded for Workspace: default

Show Output ```diff An execution plan has been generated and is shown below. Resource actions are indicated with the following symbols: ! update in-place -/+ destroy and then create replacement Terraform will perform the following actions: # module.dev.google_app_engine_standard_app_version.fmltc-app-v1 will be updated in-place ! resource "google_app_engine_standard_app_version" "fmltc-app-v1" { id = "apps/ftc-ml-firstinspires-dev/services/default/versions/v1" name = "apps/ftc-ml-firstinspires-dev/services/default/versions/v1" # (9 unchanged attributes hidden) ! deployment { ! zip { ! source_url = "https://storage.googleapis.com/ftc-ml-firstinspires-dev-gae-source/228564b1917c98d333b16d3c98760c40.zip" -> "https://storage.googleapis.com/ftc-ml-firstinspires-dev-gae-source/c7cf04baa40eb7cf8b2ea7302862dd0a.zip" # (1 unchanged attribute hidden) } } - handlers { - auth_fail_action = "AUTH_FAIL_ACTION_REDIRECT" -> null - login = "LOGIN_OPTIONAL" -> null - security_level = "SECURE_OPTIONAL" -> null - url_regex = ".*" -> null - script { - script_path = "auto" -> null } } # (8 unchanged blocks hidden) } # module.dev.google_cloudfunctions_function.perform-action will be updated in-place ! resource "google_cloudfunctions_function" "perform-action" { id = "projects/ftc-ml-firstinspires-dev/locations/us-central1/functions/perform_action" name = "perform_action" ! source_archive_object = "29bdda13922590aef0249ec0cb14fbd2.zip" -> "e646cdb1a011d710603349a966c8e34a.zip" # (13 unchanged attributes hidden) # (2 unchanged blocks hidden) } # module.dev.google_storage_bucket_object.app-server-archive must be replaced -/+ resource "google_storage_bucket_object" "app-server-archive" { ! content_type = "application/zip" -> (known after apply) ! crc32c = "/F6VyA==" -> (known after apply) ! detect_md5hash = "IoVksZF8mNMzsW08mHYMQA==" -> "different hash" # forces replacement - event_based_hold = false -> null ! id = "ftc-ml-firstinspires-dev-gae-source-228564b1917c98d333b16d3c98760c40.zip" -> (known after apply) + kms_key_name = (known after apply) ! md5hash = "IoVksZF8mNMzsW08mHYMQA==" -> (known after apply) ! media_link = "https://storage.googleapis.com/download/storage/v1/b/ftc-ml-firstinspires-dev-gae-source/o/228564b1917c98d333b16d3c98760c40.zip?generation=1635183944439349&alt=media" -> (known after apply) - metadata = {} -> null ! name = "228564b1917c98d333b16d3c98760c40.zip" -> "c7cf04baa40eb7cf8b2ea7302862dd0a.zip" # forces replacement ! output_name = "228564b1917c98d333b16d3c98760c40.zip" -> (known after apply) ! self_link = "https://www.googleapis.com/storage/v1/b/ftc-ml-firstinspires-dev-gae-source/o/228564b1917c98d333b16d3c98760c40.zip" -> (known after apply) ! storage_class = "STANDARD" -> (known after apply) - temporary_hold = false -> null # (2 unchanged attributes hidden) } # module.dev.google_storage_bucket_object.cloud-function-archive must be replaced -/+ resource "google_storage_bucket_object" "cloud-function-archive" { ! content_type = "application/zip" -> (known after apply) ! crc32c = "hzr9kA==" -> (known after apply) ! detect_md5hash = "Kb3aE5IlkK7wJJ7AyxT70g==" -> "different hash" # forces replacement - event_based_hold = false -> null ! id = "ftc-ml-firstinspires-dev-gcf-source-29bdda13922590aef0249ec0cb14fbd2.zip" -> (known after apply) + kms_key_name = (known after apply) ! md5hash = "Kb3aE5IlkK7wJJ7AyxT70g==" -> (known after apply) ! media_link = "https://storage.googleapis.com/download/storage/v1/b/ftc-ml-firstinspires-dev-gcf-source/o/29bdda13922590aef0249ec0cb14fbd2.zip?generation=1635183944400267&alt=media" -> (known after apply) - metadata = {} -> null ! name = "29bdda13922590aef0249ec0cb14fbd2.zip" -> "e646cdb1a011d710603349a966c8e34a.zip" # forces replacement ! output_name = "29bdda13922590aef0249ec0cb14fbd2.zip" -> (known after apply) ! self_link = "https://www.googleapis.com/storage/v1/b/ftc-ml-firstinspires-dev-gcf-source/o/29bdda13922590aef0249ec0cb14fbd2.zip" -> (known after apply) ! storage_class = "STANDARD" -> (known after apply) - temporary_hold = false -> null # (2 unchanged attributes hidden) } Plan: 2 to add, 2 to change, 2 to destroy. ```
cmacfarl commented 2 years ago

If the denials were caused by #156 then you don't need to change SESSION_COOKIE_SECURE. #156 only changed Lax to Strict.

Sometimes I'll decode the cookie and it can be useful to not have it encrypted. The default for both are the secure settings, so datastores without these properties at all will behave as designed.