coder
diff --git a/‎cli/server.go
Lines changed: 0 additions & 1 deletion b/‎cli/server.go
Lines changed: 0 additions & 1 deletion
diff --git a/‎cli/testdata/coder_server_--help.golden
Lines changed: 3 additions & 0 deletions b/‎cli/testdata/coder_server_--help.golden
Lines changed: 3 additions & 0 deletions
diff --git a/‎cli/testdata/server-config.yaml.golden
Lines changed: 3 additions & 0 deletions b/‎cli/testdata/server-config.yaml.golden
Lines changed: 3 additions & 0 deletions
diff --git a/‎coderd/apidoc/docs.go
Lines changed: 14 additions & 3 deletions b/‎coderd/apidoc/docs.go
Lines changed: 14 additions & 3 deletions
diff --git a/‎coderd/apidoc/swagger.json
Lines changed: 14 additions & 3 deletions b/‎coderd/apidoc/swagger.json
Lines changed: 14 additions & 3 deletions
diff --git a/‎coderd/apikey.go
Lines changed: 2 additions & 4 deletions b/‎coderd/apikey.go
Lines changed: 2 additions & 4 deletions
diff --git a/‎coderd/coderd.go
Lines changed: 5 additions & 6 deletions b/‎coderd/coderd.go
Lines changed: 5 additions & 6 deletions
diff --git a/‎coderd/coderdtest/oidctest/idp.go
Lines changed: 1 addition & 1 deletion b/‎coderd/coderdtest/oidctest/idp.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎coderd/coderdtest/testjar/cookiejar.go
Lines changed: 33 additions & 0 deletions b/‎coderd/coderdtest/testjar/cookiejar.go
Lines changed: 33 additions & 0 deletions
diff --git a/‎coderd/httpmw/csrf.go
Lines changed: 2 additions & 2 deletions b/‎coderd/httpmw/csrf.go
Lines changed: 2 additions & 2 deletions
@@ -641,7 +641,6 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 				GoogleTokenValidator:        googleTokenValidator,
 				ExternalAuthConfigs:         externalAuthConfigs,
 				RealIPConfig:                realIPConfig,
-				SecureAuthCookie:            vals.SecureAuthCookie.Value(),
 				SSHKeygenAlgorithm:          sshKeygenAlgorithm,
 				TracerProvider:              tracerProvider,
 				Telemetry:                   telemetry.NewNoop(),
 
@@ -251,6 +251,9 @@ NETWORKING OPTIONS:
           Specifies whether to redirect requests that do not match the access
           URL host.
 
+      --samesite-auth-cookie lax|none, $CODER_SAMESITE_AUTH_COOKIE (default: lax)
+          Controls the 'SameSite' property is set on browser session cookies.
+
       --secure-auth-cookie bool, $CODER_SECURE_AUTH_COOKIE
           Controls if the 'Secure' property is set on browser session cookies.
 
 
@@ -174,6 +174,9 @@ networking:
   # Controls if the 'Secure' property is set on browser session cookies.
   # (default: <unset>, type: bool)
   secureAuthCookie: false
+  # Controls the 'SameSite' property is set on browser session cookies.
+  # (default: lax, type: enum[lax\|none])
+  sameSiteAuthCookie: lax
   # Whether Coder only allows connections to workspaces via the browser.
   # (default: <unset>, type: bool)
   browserOnly: false
 
@@ -382,12 +382,10 @@ func (api *API) createAPIKey(ctx context.Context, params apikey.CreateParams) (*
 		APIKeys: []telemetry.APIKey{telemetry.ConvertAPIKey(newkey)},
 	})
 
-	return &http.Cookie{
+	return api.DeploymentValues.HTTPCookies.Apply(&http.Cookie{
 		Name:     codersdk.SessionTokenCookie,
 		Value:    sessionToken,
 		Path:     "/",
 		HttpOnly: true,
-		SameSite: http.SameSiteLaxMode,
-		Secure:   api.SecureAuthCookie,
-	}, &newkey, nil
+	}), &newkey, nil
 }
@@ -155,7 +155,6 @@ type Options struct {
 	GithubOAuth2Config             *GithubOAuth2Config
 	OIDCConfig                     *OIDCConfig
 	PrometheusRegistry             *prometheus.Registry
-	SecureAuthCookie               bool
 	StrictTransportSecurityCfg     httpmw.HSTSConfig
 	SSHKeygenAlgorithm             gitsshkey.Algorithm
 	Telemetry                      telemetry.Reporter
@@ -740,7 +739,7 @@ func New(options *Options) *API {
 		StatsCollector:      workspaceapps.NewStatsCollector(options.WorkspaceAppsStatsCollectorOptions),
 
 		DisablePathApps:          options.DeploymentValues.DisablePathApps.Value(),
-		SecureAuthCookie:         options.DeploymentValues.SecureAuthCookie.Value(),
+		Cookies:                  options.DeploymentValues.HTTPCookies,
 		APIKeyEncryptionKeycache: options.AppEncryptionKeyCache,
 	}
 
@@ -828,7 +827,7 @@ func New(options *Options) *API {
 				next.ServeHTTP(w, r)
 			})
 		},
-		httpmw.CSRF(options.SecureAuthCookie),
+		httpmw.CSRF(options.DeploymentValues.HTTPCookies),
 	)
 
 	// This incurs a performance hit from the middleware, but is required to make sure
@@ -868,7 +867,7 @@ func New(options *Options) *API {
 				r.Route(fmt.Sprintf("/%s/callback", externalAuthConfig.ID), func(r chi.Router) {
 					r.Use(
 						apiKeyMiddlewareRedirect,
-						httpmw.ExtractOAuth2(externalAuthConfig, options.HTTPClient, nil),
+						httpmw.ExtractOAuth2(externalAuthConfig, options.HTTPClient, options.DeploymentValues.HTTPCookies, nil),
 					)
 					r.Get("/", api.externalAuthCallback(externalAuthConfig))
 				})
@@ -1123,14 +1122,14 @@ func New(options *Options) *API {
 					r.Get("/github/device", api.userOAuth2GithubDevice)
 					r.Route("/github", func(r chi.Router) {
 						r.Use(
-							httpmw.ExtractOAuth2(options.GithubOAuth2Config, options.HTTPClient, nil),
+							httpmw.ExtractOAuth2(options.GithubOAuth2Config, options.HTTPClient, options.DeploymentValues.HTTPCookies, nil),
 						)
 						r.Get("/callback", api.userOAuth2Github)
 					})
 				})
 				r.Route("/oidc/callback", func(r chi.Router) {
 					r.Use(
-						httpmw.ExtractOAuth2(options.OIDCConfig, options.HTTPClient, oidcAuthURLParams),
+						httpmw.ExtractOAuth2(options.OIDCConfig, options.HTTPClient, options.DeploymentValues.HTTPCookies, oidcAuthURLParams),
 					)
 					r.Get("/", api.userOIDC)
 				})
 
@@ -1320,7 +1320,7 @@ func (f *FakeIDP) httpHandler(t testing.TB) http.Handler {
 // requests will fail.
 func (f *FakeIDP) HTTPClient(rest *http.Client) *http.Client {
 	if f.serve {
-		if rest == nil || rest.Transport == nil {
+		if rest == nil {
 			return &http.Client{}
 		}
 		return rest
 
@@ -0,0 +1,33 @@
+package testjar
+
+import (
+	"net/http"
+	"net/url"
+	"sync"
+)
+
+func New() *Jar {
+	return &Jar{}
+}
+
+// Jar exists because 'cookiejar.New()' strips many of the http.Cookie fields
+// that are needed to assert. Such as 'Secure' and 'SameSite'.
+type Jar struct {
+	m      sync.Mutex
+	perURL map[string][]*http.Cookie
+}
+
+func (j *Jar) SetCookies(u *url.URL, cookies []*http.Cookie) {
+	j.m.Lock()
+	defer j.m.Unlock()
+	if j.perURL == nil {
+		j.perURL = make(map[string][]*http.Cookie)
+	}
+	j.perURL[u.Host] = append(j.perURL[u.Host], cookies...)
+}
+
+func (j *Jar) Cookies(u *url.URL) []*http.Cookie {
+	j.m.Lock()
+	defer j.m.Unlock()
+	return j.perURL[u.Host]
+}
@@ -16,10 +16,10 @@ import (
 // for non-GET requests.
 // If enforce is false, then CSRF enforcement is disabled. We still want
 // to include the CSRF middleware because it will set the CSRF cookie.
-func CSRF(secureCookie bool) func(next http.Handler) http.Handler {
+func CSRF(cookieCfg codersdk.HTTPCookieConfig) func(next http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		mw := nosurf.New(next)
-		mw.SetBaseCookie(http.Cookie{Path: "/", HttpOnly: true, SameSite: http.SameSiteLaxMode, Secure: secureCookie})
+		mw.SetBaseCookie(*cookieCfg.Apply(&http.Cookie{Path: "/", HttpOnly: true}))
 		mw.SetFailureHandler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			sessCookie, err := r.Cookie(codersdk.SessionTokenCookie)
 			if err == nil &&
Original file line number	Diff line number	Diff line change
`@@ -1320,7 +1320,7 @@ func (f *FakeIDP) httpHandler(t testing.TB) http.Handler {`
`1320`	`1320`	`// requests will fail.`
`1321`	`1321`	`func (f FakeIDP) HTTPClient(rest http.Client) *http.Client {`
`1322`	`1322`	`if f.serve {`
`1323`		`- if rest == nil \|\| rest.Transport == nil {`
	`1323`	`+ if rest == nil {`
`1324`	`1324`	`return &http.Client{}`
`1325`	`1325`	`}`
`1326`	`1326`	`return rest`