refactor: moved thirdPartyCheckUrl under features.sessionManagement

BREAKING CHANGE: `cookies.thirdPartyCheckUrl` is now configured with `features.sessionManagement.thirdPartyCheckUrl` instead
panva · Sep 26, 2018 · c3f84b2 · c3f84b2
1 parent cd57d77
commit c3f84b2
Show file tree

Hide file tree

Showing 5 changed files with 22 additions and 31 deletions.
diff --git a/docs/configuration.md b/docs/configuration.md
@@ -63,7 +63,6 @@ is a good starting point to get an idea of what you should provide.
   - [cookies.long](#cookieslong)
   - [cookies.names](#cookiesnames)
   - [cookies.short](#cookiesshort)
-  - [cookies.thirdPartyCheckUrl](#cookiesthirdpartycheckurl)
   - [deviceFlowSuccess](#devicecodesuccess)
   - [discovery](#discovery)
   - [dynamicScopes](#dynamicscopes)
@@ -1095,9 +1094,12 @@ false
   <br>
 
 
-The User-Agent must allow access to the provider cookies from a third-party context when the OP frame is embedded. Oidc-provider checks if this is enabled using a [CDN hosted](https://rawgit.com/) [iframe][third-party-cookies-git]. It is recommended to host these helper pages on your own (on a different domain from the one you host oidc-provider on). Once hosted, set the `cookies.thirdPartyCheckUrl` to an absolute URL for the start page. See [this][third-party-cookies-so] for more info. Note: This is still just a best-effort solution and is in no way bulletproof. Currently there's no better way to check if access to third party cookies has been blocked or the cookies are just missing. (ITP2.0 Storage Access API is also not an option)  
-
+The User-Agent must allow access to the provider cookies from a third-party context when the OP frame is embedded. Oidc-provider checks if this is enabled using a [CDN hosted](https://rawgit.com/) [iframe][third-party-cookies-git]. It is recommended to host these helper pages on your own (on a different domain from the one you host oidc-provider on). Once hosted, set the `features.sessionManagement.thirdPartyCheckUrl` to an absolute URL for the start page. See [this][third-party-cookies-so] for more info. Note: This is still just a best-effort solution and is in no way bulletproof. Currently there's no better way to check if access to third party cookies has been blocked or the cookies are just missing. (ITP2.0 Storage Access API is also not an option) Configure `features.sessionManagement` as an object like so:
+  
 
+```js
+{ thirdPartyCheckUrl: 'https://your-location.example.com/start.html' },
+```
 </details>
 <details>
   <summary>(Click to expand) To disable removing frame-ancestors from Content-Security-Policy and X-Frame-Options</summary>
@@ -1260,17 +1262,6 @@ _**default value**_:
   maxAge: 600000 }
 ```
 
-### cookies.thirdPartyCheckUrl
-
-URL for 3rd party cookies support check helper  
-
-_**affects**_: sessionManagement feature  
-
-_**default value**_:
-```js
-'https://cdn.rawgit.com/panva/3rdpartycookiecheck/92fead3f/start.html'
-```
-
 ### deviceFlowSuccess
 
 HTML source rendered when device code feature renders a success page for the User-Agent.  

diff --git a/lib/actions/check_session.js b/lib/actions/check_session.js
@@ -10,7 +10,7 @@ const buildParams = getParams(PARAM_LIST);
 
 module.exports = function checkSessionAction(provider) {
   const removeHeaders = !instance(provider).configuration('features.sessionManagement.keepHeaders');
-  const thirdPartyCheckUrl = instance(provider).configuration('cookies.thirdPartyCheckUrl');
+  const thirdPartyCheckUrl = instance(provider).configuration('features.sessionManagement.thirdPartyCheckUrl');
 
   return {
     get: async function checkSessionIframe(ctx, next) {

diff --git a/lib/helpers/configuration_schema.js b/lib/helpers/configuration_schema.js
@@ -4,6 +4,7 @@ const {
 
 const { JWA } = require('../consts');
 
+const attention = require('./attention');
 const defaults = require('./defaults');
 
 function authEndpointDefaults(config) {
@@ -77,6 +78,13 @@ module.exports = class ConfigurationSchema {
       }
     }
 
+    if (get(this, 'features.sessionManagement')) {
+      if (!this.features.sessionManagement.thirdPartyCheckUrl) {
+        attention.warn('configuration features.sessionManagement.thirdPartyCheckUrl is missing, it should be set when running in production');
+        set(this, 'features.sessionManagement.thirdPartyCheckUrl', 'https://cdn.rawgit.com/panva/3rdpartycookiecheck/92fead3f/start.html');
+      }
+    }
+
     this.ensureMaps();
     this.checkWhitelistedAlgs();
     this.collectScopes();

diff --git a/lib/helpers/defaults.js b/lib/helpers/defaults.js
@@ -123,15 +123,6 @@ const DEFAULTS = {
      *   and re-signed
      */
     keys: [],
-
-    /*
-     * cookies.thirdPartyCheckUrl
-     *
-     * description: URL for 3rd party cookies support check helper
-     * affects: sessionManagement feature
-     *
-     */
-    thirdPartyCheckUrl: 'https://cdn.rawgit.com/panva/3rdpartycookiecheck/92fead3f/start.html', // TODO: move under sessionManagement in next major
   },
 
 
@@ -457,12 +448,18 @@ const DEFAULTS = {
      *
      * oidc-provider checks if this is enabled using a [CDN hosted](https://rawgit.com/) [iframe][third-party-cookies-git].
      * It is recommended to host these helper pages on your own (on a different domain from the one
-     * you host oidc-provider on). Once hosted, set the `cookies.thirdPartyCheckUrl` to an absolute
+     * you host oidc-provider on). Once hosted, set the `features.sessionManagement.thirdPartyCheckUrl` to an absolute
      * URL for the start page. See [this][third-party-cookies-so] for more info.
      *
      * Note: This is still just a best-effort solution and is in no way bulletproof. Currently there's
      * no better way to check if access to third party cookies has been blocked or the cookies are just
-     * missing. (ITP2.0 Storage Access API is also not an option)
+     * missing. (Safari's ITP 2.0 Storage Access API also cannot be used)
+     *
+     * Configure `features.sessionManagement` as an object like so:
+     *
+     * ```js
+     * { thirdPartyCheckUrl: 'https://your-location.example.com/start.html' },
+     * ```
      *
      * example: To disable removing frame-ancestors from Content-Security-Policy and X-Frame-Options
      * Only do this if you know what you're doing either in a followup middleware or your app server,

diff --git a/lib/provider.js b/lib/provider.js
@@ -102,11 +102,6 @@ class Provider extends events.EventEmitter {
       attention.warn('configuration cookies.keys is missing, this option is critical to detect and ignore tampered cookies');
     }
 
-    if (setup.features && setup.features.sessionManagement
-        && (!setup.cookies || !setup.cookies.thirdPartyCheckUrl)) {
-      attention.warn('configuration cookies.thirdPartyCheckUrl is missing, it should be set when running in production');
-    }
-
     instance(this).app = app;
 
     instance(this).defaultHttpOptions = {