From 5842e2f60a6cfda333c3273ffe3e2c24b3dfb513 Mon Sep 17 00:00:00 2001
From: Robert von Burg <eitch@eitchnet.ch>
Date: Fri, 23 Apr 2021 12:55:32 +0200
Subject: [PATCH] [New] Added setting for SameSite and Domain attributes on
 auth cookies

---
 .../rest/endpoint/AuthenticationService.java  | 33 ++++++++++++++++---
 1 file changed, 28 insertions(+), 5 deletions(-)

diff --git a/li.strolch.rest/src/main/java/li/strolch/rest/endpoint/AuthenticationService.java b/li.strolch.rest/src/main/java/li/strolch/rest/endpoint/AuthenticationService.java
index 4ded7e194..3cf0bf007 100644
--- a/li.strolch.rest/src/main/java/li/strolch/rest/endpoint/AuthenticationService.java
+++ b/li.strolch.rest/src/main/java/li/strolch/rest/endpoint/AuthenticationService.java
@@ -23,6 +23,8 @@ import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.*;
 import javax.ws.rs.core.*;
 import javax.ws.rs.core.Response.Status;
+import java.net.MalformedURLException;
+import java.net.URL;
 import java.text.MessageFormat;
 import java.time.LocalDateTime;
 import java.util.Base64;
@@ -342,7 +344,17 @@ public class AuthenticationService {
 				logger.warn(msg);
 			}
 
-			NewCookie cookie = new NewCookie(STROLCH_AUTHORIZATION, certificate.getAuthToken(), "/", null,
+			String domain;
+			try {
+				domain = new URL(request.getRequestURL().toString()).getHost();
+			} catch (MalformedURLException e) {
+				logger.error("Failed to parse URL: " + request.getRequestURL().toString(), e);
+				domain = null;
+			}
+
+			String path = "/;SameSite=Strict";
+
+			NewCookie cookie = new NewCookie(STROLCH_AUTHORIZATION, certificate.getAuthToken(), path, domain,
 					"Authorization header", (int) TimeUnit.DAYS.toSeconds(1), secureCookie);
 
 			return Response.ok().entity(jsonObject.toString())//
@@ -437,10 +449,21 @@ public class AuthenticationService {
 		}
 
 		if (setCookies) {
-			NewCookie authCookie = new NewCookie(STROLCH_AUTHORIZATION, authToken, "/", null, "Authorization header",
-					cookieMaxAge, secureCookie);
-			NewCookie authExpirationCookie = new NewCookie(STROLCH_AUTHORIZATION_EXPIRATION_DATE, expirationDateS, "/",
-					null, "Authorization Expiration Date", cookieMaxAge, secureCookie);
+
+			String domain;
+			try {
+				domain = new URL(request.getRequestURL().toString()).getHost();
+			} catch (MalformedURLException e) {
+				logger.error("Failed to parse URL: " + request.getRequestURL().toString(), e);
+				domain = null;
+			}
+
+			String path = "/;SameSite=Strict";
+
+			NewCookie authCookie = new NewCookie(STROLCH_AUTHORIZATION, authToken, path, domain,
+					"Strolch Authorization header", cookieMaxAge, secureCookie);
+			NewCookie authExpirationCookie = new NewCookie(STROLCH_AUTHORIZATION_EXPIRATION_DATE, expirationDateS, path,
+					domain, "Strolch Authorization Expiration Date", cookieMaxAge, secureCookie);
 
 			return Response.ok().entity(loginResult.toString()) //
 					.header(HttpHeaders.AUTHORIZATION, authToken) //