fix: the CSRF cookie needs to have a same site lax mode

2 files changed, 6 insertions, 2 deletions

diff --git a/app/controllers/sessions/controller.go b/app/controllers/sessions/controller.go
index 8d0e858..5babe7d 100644
--- a/app/controllers/sessions/controller.go
+++ b/app/controllers/sessions/controller.go
@@ -33,7 +33,10 @@ func (c *Controller) New(w http.ResponseWriter, r *http.Request) {
 	}
 
 	url, nonce := c.svc.GenerateRedirectURL()
-	http.SetCookie(w, cookie.New("oauth_state", nonce, time.Now().Add(10*time.Minute)))
+	cookie := cookie.New("oauth_state", nonce, time.Now().Add(10*time.Minute))
+	// This cookie must be sent as part of a redirect that originates from the OIDC Provider
+	cookie.SameSite = http.SameSiteLaxMode
+	http.SetCookie(w, cookie)
 	http.Redirect(w, r, url, http.StatusFound)
 }
 
diff --git a/app/controllers/sessions/service.go b/app/controllers/sessions/service.go
index 0ee692a..0fd7692 100644
--- a/app/controllers/sessions/service.go
+++ b/app/controllers/sessions/service.go
@@ -3,6 +3,7 @@ package sessions
 import (
 	"context"
 	"errors"
+	"fmt"
 	"net/http"
 
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/oidc"
@@ -34,7 +35,7 @@ func (svc *Service) GenerateRedirectURL() (string, string) {
 func (svc *Service) Exchange(r *http.Request) (*oidc.Tokens, error) {
 	cookies := r.CookiesNamed("oauth_state")
 	if len(cookies) != 1 {
-		return nil, errors.New("Missing CSRF token")
+		return nil, errors.New(fmt.Sprintf("Missing CSRF token: %v, cookies: %v", len(cookies), r.Cookies()))
 	}
 
 	state := r.URL.Query().Get("state")