From a3513b1bdfe7cc848d87a69b92be33aea36321e7 Mon Sep 17 00:00:00 2001
From: YAEGASHI Takeshi <yaegashi@users.noreply.github.com>
Date: Mon, 2 Nov 2020 03:10:50 +0900
Subject: [PATCH] fix: enable passport-azure-ad workaround for SameSite cookies
 (#2567)

This adds cookieEncryptionKeyString configuration in the Azure AD
authentication module.  It represents an array of cookie encryption
strings and enables workaround for SameSite cookies.
---
 .../authentication/azure/authentication.js     | 18 +++++++++++++++++-
 .../authentication/azure/definition.yml        |  6 +++++-
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/server/modules/authentication/azure/authentication.js b/server/modules/authentication/azure/authentication.js
index 0ccb6ed5..711ddb37 100644
--- a/server/modules/authentication/azure/authentication.js
+++ b/server/modules/authentication/azure/authentication.js
@@ -10,6 +10,19 @@ const OIDCStrategy = require('passport-azure-ad').OIDCStrategy
 
 module.exports = {
   init (passport, conf) {
+    // Workaround for Chrome's SameSite cookies
+    // cookieSameSite needs useCookieInsteadOfSession to work correctly.
+    // cookieEncryptionKeys is extracted from conf.cookieEncryptionKeyString.
+    // It's a concatnation of 44-character length strings each of which represents a single pair of key/iv.
+    // Valid cookieEncryptionKeys enables both cookieSameSite and useCookieInsteadOfSession.
+    const keyArray = [];
+    if (conf.cookieEncryptionKeyString) {
+      let keyString = conf.cookieEncryptionKeyString;
+      while (keyString.length >= 44) {
+        keyArray.push({ key: keyString.substring(0, 32), iv: keyString.substring(32, 44) });
+        keyString = keyString.substring(44);
+      }
+    }
     passport.use('azure',
       new OIDCStrategy({
         identityMetadata: conf.entryPoint,
@@ -19,7 +32,10 @@ module.exports = {
         responseMode: 'form_post',
         scope: ['profile', 'email', 'openid'],
         allowHttpForRedirectUrl: WIKI.IS_DEBUG,
-        passReqToCallback: true
+        passReqToCallback: true,
+        cookieSameSite: keyArray.length > 0,
+        useCookieInsteadOfSession: keyArray.length > 0,
+        cookieEncryptionKeys: keyArray
       }, async (req, iss, sub, profile, cb) => {
         const usrEmail = _.get(profile, '_json.email', null) || _.get(profile, '_json.preferred_username')
         try {
diff --git a/server/modules/authentication/azure/definition.yml b/server/modules/authentication/azure/definition.yml
index 5c4ebc51..ad7d41eb 100644
--- a/server/modules/authentication/azure/definition.yml
+++ b/server/modules/authentication/azure/definition.yml
@@ -22,4 +22,8 @@ props:
     title: Client ID
     hint: The client ID of your application in AAD (Azure Active Directory)
     order: 2
-
+  cookieEncryptionKeyString:
+    type: String
+    title: Cookie Encryption Key String
+    hint: Random string with 44-character length.  Setting this enables workaround for Chrome's SameSite cookies.
+    order: 3