Micronaut-core: Allow for configuration of secure cookie

@adityasrini Opened this based on the conversation on gitter.

Setting micronaut.session.http.cookie-secure: true seems to still have non SECURE cookies. I'm using the 1.2.2 snapshot build fwiw.

@adityasrini I believe you would have to use 1.3.0 snapshot. That's what James tagged it with. Also there was an issue with 1.3.0 snapshot builds via gitter but it looks like it got resolved today.

You're right. I switched to the 1.3.0 snapshot. But I still don't see the Secure flag in the set-cookie header from the server response.

@adityasrini Looks like its still not building snapshots correctly. Last date pushed was Aug 12th :( So what was mentioned resolved on gitter is not quite yet. cc @jameskleeh . So i think your only option currently is to just build it from master directly for the time being until that is resolved.

:( @zendern thanks for the heads up on that! I’ll just wait for a few more days before I work on this then. Appreciate you looking into this for me!

Hello @zendern, the issue still exists with Micronaut 1.3.4. I find that HttpRequest.isSecure returns false, even when the request comes from an origin with https scheme.

val cookie = Cookie.of(jwtCookieConfiguration.cookieName, accessToken)
cookie.configure(jwtCookieConfiguration, request.isSecure)

So it will never actually set the Secure flag even if I set the cookie.cookie-secure property to true.

Hello @zendern, the issue still exists with Micronaut 1.3.4. I find that HttpRequest.isSecure returns false, even when the request comes from an origin with https scheme.

val cookie = Cookie.of(jwtCookieConfiguration.cookieName, accessToken)
cookie.configure(jwtCookieConfiguration, request.isSecure)

So it will never actually set the Secure flag even if I set the cookie.cookie-secure property to true.

@abedurftig As the issue says above we are not looking at headers in this case, we only allow for micronaut.session.http.cookie-secure and that property would only take effect on the session cookie only so what you are doing above would never use the micronaut.session.http.cookie-secure property.

See here:
https://github.com/micronaut-projects/micronaut-core/blob/72c84cbf04cc8925b31bfff5717715d636070a9d/session/src/main/java/io/micronaut/session/http/CookieHttpSessionStrategy.java#L112

From what I see right now all the implementations of request.isSecure only look at if micronaut is configured for ssl and do not look at any of the original X- headers.

Default impl :
https://github.com/micronaut-projects/micronaut-core/blob/96d473796f81064dc54ea6bb1299b45b5592d576/http/src/main/java/io/micronaut/http/HttpRequest.java#L121-L127

Netty impl :
https://github.com/micronaut-projects/micronaut-core/blob/96d473796f81064dc54ea6bb1299b45b5592d576/http-server-netty/src/main/java/io/micronaut/http/server/netty/NettyHttpRequest.java#L157-L161

So if that is something you need, it's probably good to spin up a new card to get that rolling. And I'll defer to @jameskleeh on his thoughts on X- headers stuff again. We decided to just do a config option back in September (see here https://gitter.im/micronautfw/questions?at=5d725e7dc59390272022c179) since there was no real good standardization around those X- headers. But maybe there is another configuration option we could do to just force request.isSecure to be true if you config it that way.

@zendern, thanks for your reply. I realized I am in the wrong thread here I guess. Are you saying that the Micronaut HttpRequest depends on headers in the request? Because I always find the scheme to be null.

@zendern, thanks for your reply. I realized I am in the wrong thread here I guess. Are you saying that the Micronaut HttpRequest depends on headers in the request? Because I always find the scheme to be null.

No, what I’m saying is Micronaut doesn’t look at the headers at all right now and only can determine if it secure if you have enabled ssl at the micronaut app level currently.

Any way to reopen this issue ?
It still have the same issue on my side. A standard micronaut app in http served by a loadbalancer.

I have successfully let micronaut understand I was behind a ssl proxy tunning configuration (for oauth auth) :

    micronaut:
      server:
        host-resolution:
          host-header: Host
          protocol-header: X-Forwarded-Proto

Now I try to have a secure cookie for the JWT token :

    micronaut:
      security:
        token:
          jwt:
            cookie:
              cookie-secure: true

But this don't work because of :
https://github.com/micronaut-projects/micronaut-core/blob/f4bcab90fde51264fc71fb3be62dbfdddb01b517/http/src/main/java/io/micronaut/http/cookie/Cookie.java#L166-L179

I think you should remove the if (isSecure) { condition. Since the user explicitly configure a secure cookie, we need to trust him.
I don't see any point the user will configure this options and without having a proxy in front since the option is useless for people with server that listen on http & https and the default behavior works well

I agree this is a bug however changing the behavior will cause any default configuration to be applied where it previously wouldn't have. For example https://github.com/micronaut-projects/micronaut-core/blob/b4ba43384bf52072a9fab88508a8d82fa7aeec03/multitenancy/src/main/java/io/micronaut/multitenancy/writer/CookieTenantWriterConfigurationProperties.java#L78 sets the default to true so that would switch the secure flag on the cookie for those who aren't configuring it explicitly.

This isn't the right place to discuss this issue so I'll open a new one