Implement secure cookie

auth.go

@@ -101,9 +101,13 @@ func mkerror(msg string) error {
 //     roles["user"] = 2
 //     roles["admin"] = 4
 //     roles["moderator"] = 3
+//
+// Secure cookie is set to true by default. Use the "AllowInsecureCookie" method to unset
+// it for test environments without https.
 func NewAuthorizer(backend AuthBackend, key []byte, defaultRole string, roles map[string]Role) (Authorizer, error) {
 	var a Authorizer
 	a.cookiejar = sessions.NewCookieStore([]byte(key))
+	a.cookiejar.Options.Secure = true
 	a.backend = backend
 	a.roles = roles
 	a.defaultRole = defaultRole
@@ -113,6 +117,13 @@ func NewAuthorizer(backend AuthBackend, key []byte, defaultRole string, roles ma
 	return a, nil
 }
 
+// AllowInsecureCookie sets the requirement for Secure cookies to false.
+// This setting is intended for use in test environments where https is
+// not available and shouldn't be used for production use.
+func (a Authorizer) AllowInsecureCookie() {
+	a.cookiejar.Options.Secure = false
+}
+
 // Login logs a user in. They will be redirected to dest or to the last
 // location an authorization redirect was triggered (if found) on success. A
 // message will be added to the session on failure with the reason.
@@ -269,13 +280,7 @@ func (a Authorizer) Authorize(rw http.ResponseWriter, req *http.Request, redirec
 		}
 		return mkerror("new authorization session")
 	}
-	/*if authSession.IsNew {
-	    if redirectWithMessage {
-	        a.goBack(rw, req)
-	        a.addMessage(rw, req, "Log in to do that.")
-	    }
-	    return mkerror("no session existed")
-	}*/
+
 	username := authSession.Values["username"]
 	if !authSession.IsNew && username != nil {
 		_, err := a.backend.User(username.(string))
@@ -292,6 +297,14 @@ func (a Authorizer) Authorize(rw http.ResponseWriter, req *http.Request, redirec
 		}
 	}
 	if username == nil {
+		// Check if the problem might be secure cookies required but over http.
+		if authSession.Options.Secure && req.TLS == nil {
+			if redirectWithMessage {
+				a.goBack(rw, req)
+				a.addMessage(rw, req, "Requires https connection to login.")
+			}
+			return mkerror("secure cookie requires https connection")
+		}
 		if redirectWithMessage {
 			a.goBack(rw, req)
 			a.addMessage(rw, req, "Log in to do that.")

auth_test.go

@@ -14,10 +14,11 @@ var (
 	file       = "auth_test.gob"
 	c          http.Client
 	authCookie http.Cookie
+	roles      map[string]Role
 )
 
 func init() {
-	roles := make(map[string]Role)
+	roles = make(map[string]Role)
 	roles["user"] = 40
 	roles["admin"] = 80
 	t, _ := time.Parse("Mon, 02 Jan 2006 15:04:05 MST", "Mon, 07 Apr 2014 21:47:54 UTC")
@@ -41,13 +42,21 @@ func TestNewAuthorizer(t *testing.T) {
 		t.Fatal(err.Error())
 	}
 
-	roles := make(map[string]Role)
-	roles["user"] = 40
-	roles["admin"] = 80
 	a, err = NewAuthorizer(b, []byte("testkey"), "user", roles)
 	if err != nil {
 		t.Fatal(err.Error())
 	}
+
+	if !a.cookiejar.Options.Secure {
+		t.Error("Cookie should be secure by default.")
+	}
+}
+
+func TestAllowInsecureCookie(t *testing.T) {
+	a.AllowInsecureCookie()
+	if a.cookiejar.Options.Secure {
+		t.Error("Cookie should be set to insecure.")
+	}
 }
 
 func TestRegister(t *testing.T) {

examples/server.go

@@ -4,8 +4,8 @@ import (
 	"fmt"
 	"html/template"
 	"net/http"
-	"strings"
 	"os"
+	"strings"
 
 	"github.com/apexskier/httpauth"
 	"github.com/gorilla/mux"
@@ -35,6 +35,8 @@ func main() {
 	roles["user"] = 30
 	roles["admin"] = 80
 	aaa, err = httpauth.NewAuthorizer(backend, []byte("cookie-encryption-key"), "user", roles)
+	// Don't use this function for production! Only used for testing when https is not available.
+	aaa.AllowInsecureCookie()
 
 	// create a default user
 	username := "admin"