Support for SameSite in cookies.

Author: rohe

Diff for: src/oidcrp/cookie.py

@@ -3,6 +3,7 @@
 import hmac
 import logging
 import os
+import sys
 import time
 
 from http.cookies import SimpleCookie
@@ -107,7 +108,7 @@ def _make_hashed_key(parts, hashfunc='sha256'):
 
 
 def make_cookie(name, load, seed, expire=0, domain="", path="", timestamp="",
-                enc_key=None):
+                enc_key=None, secure=True, http_only=True, same_site=""):
     """
     Create and return a cookie
 
@@ -137,6 +138,13 @@ def make_cookie(name, load, seed, expire=0, domain="", path="", timestamp="",
     :type timestamp: text
     :param enc_key: The key to use for cookie encryption.
     :type enc_key: byte string
+    :param secure: A secure cookie is only sent to the server with an encrypted request over the
+    HTTPS protocol.
+    :type secure: boolean
+    :param http_only: HttpOnly cookies are inaccessible to JavaScript's Document.cookie API
+    :type http_only: boolean
+    :param same_site: Whether SameSite (None,Strict or Lax) should be added to the cookie
+    :type same_site: byte string
     :return: A tuple to be added to headers
     """
     cookie = SimpleCookie()
@@ -172,13 +180,24 @@ def make_cookie(name, load, seed, expire=0, domain="", path="", timestamp="",
             cookie_signature(seed, load, timestamp).encode('utf-8')]
 
     cookie[name] = (b"|".join(cookie_payload)).decode('utf-8')
+
+    # Necessary if Python version < 3.8
+    if sys.version_info[:2] <= (3, 8):
+        cookie[name]._reserved[str("samesite")] = str("SameSite")
+
     if path:
         cookie[name]["path"] = path
     if domain:
         cookie[name]["domain"] = domain
     if expire:
         cookie[name]["expires"] = _expiration(expire,
                                               "%a, %d-%b-%Y %H:%M:%S GMT")
+    if secure:
+        cookie[name]["Secure"] = secure
+    if http_only:
+        cookie[name]["httponly"] = http_only
+    if same_site:
+        cookie[name]["SameSite"] = same_site
 
     return tuple(cookie.output().split(": ", 1))
 

Diff for: tests/test_02_cookie.py

@@ -2,6 +2,7 @@
 from http.cookies import SimpleCookie
 
 import pytest
+from oidcrp.cookie import make_cookie
 
 from oidcservice.exception import ImproperlyConfigured
 from oidcrp.cookie import CookieDealer
@@ -143,3 +144,26 @@ def test_cookie_parts():
                       '1463043535',
                       '18a201305fa15a96ce4048e1fbb03f7715f86499']
 
+
+def test_cookie_default():
+    kaka = make_cookie('test', "data", b"1234567890abcdefg")
+    assert "Secure" in kaka[1]
+    assert "HttpOnly" in kaka[1]
+    assert "SameSite" not in kaka[1]
+
+
+def test_cookie_http_only_false():
+    kaka = make_cookie('test', "data", b"1234567890abcdefg", http_only=False)
+    assert "Secure" in kaka[1]
+    assert "HttpOnly" not in kaka[1]
+
+
+def test_cookie_not_secure():
+    kaka = make_cookie('test', "data", b"1234567890abcdefg", secure=False)
+    assert "Secure" not in kaka[1]
+    assert "HttpOnly" in kaka[1]
+
+
+def test_cookie_same_site_none():
+    kaka = make_cookie('test', "data", b"1234567890abcdefg", same_site="None")
+    assert "SameSite=None" in kaka[1]

Diff for: tests/test_14_oidc.py

@@ -4,10 +4,8 @@
 import time
 
 import pytest
-
 from cryptojwt.jwk.rsa import import_private_rsa_key_from_file
 from cryptojwt.key_bundle import KeyBundle
-
 from oidcmsg.oauth2 import AccessTokenRequest
 from oidcmsg.oauth2 import AccessTokenResponse
 from oidcmsg.oauth2 import AuthorizationRequest