Revert "lib/anubis: support setting extended cookie flags (#120)" (#134)

This reverts commit e7cbd349f3ff96788dc7a8540d29808ca72e1c44.
author: Xe Iaso <me@xeiaso.net> 2025-03-26 20:50:54 -0400
committer: GitHub <noreply@github.com> 2025-03-26 20:50:54 -0400
commit: ecc6b47f90bd4ffc48d1555df8012d534fa5d180 (patch)
tree: 75ec8d9ff574742387b5b93f205eb36250c652a2 /lib/anubis.go
parent: e7cbd349f3ff96788dc7a8540d29808ca72e1c44 (diff)
download: anubis-ecc6b47f90bd4ffc48d1555df8012d534fa5d180.tar.xz
anubis-ecc6b47f90bd4ffc48d1555df8012d534fa5d180.zip
1 files changed, 22 insertions, 29 deletions
diff --git a/lib/anubis.go b/lib/anubis.go
index 6b5a1e3..6e40f95 100644
--- a/lib/anubis.go
+++ b/lib/anubis.go
@@ -67,10 +67,6 @@ type Options struct {
 	Policy         *policy.ParsedConfig
 	ServeRobotsTXT bool
 	PrivateKey     ed25519.PrivateKey
-
-	CookieDomain      string
-	CookieName        string
-	CookiePartitioned bool
 }
 
 func LoadPoliciesOrDefault(fname string, defaultDifficulty int) (*policy.ParsedConfig, error) {
@@ -112,7 +108,6 @@ func New(opts Options) (*Server, error) {
 		priv:       opts.PrivateKey,
 		pub:        opts.PrivateKey.Public().(ed25519.PublicKey),
 		policy:     opts.Policy,
-		opts:       opts,
 		DNSBLCache: decaymap.New[string, dnsbl.DroneBLResponse](),
 	}
 
@@ -150,7 +145,6 @@ type Server struct {
 	priv                ed25519.PrivateKey
 	pub                 ed25519.PublicKey
 	policy              *policy.ParsedConfig
-	opts                Options
 	DNSBLCache          *decaymap.Impl[string, dnsbl.DroneBLResponse]
 	ChallengeDifficulty int
 }
@@ -223,7 +217,7 @@ func (s *Server) MaybeReverseProxy(w http.ResponseWriter, r *http.Request) {
 		s.next.ServeHTTP(w, r)
 		return
 	case config.RuleDeny:
-		s.ClearCookie(w)
+		ClearCookie(w)
 		lg.Info("explicit deny")
 		if rule == nil {
 			lg.Error("rule is nil, cannot calculate checksum")
@@ -242,29 +236,29 @@ func (s *Server) MaybeReverseProxy(w http.ResponseWriter, r *http.Request) {
 	case config.RuleChallenge:
 		lg.Debug("challenge requested")
 	default:
-		s.ClearCookie(w)
+		ClearCookie(w)
 		templ.Handler(web.Base("Oh noes!", web.ErrorPage("Other internal server error (contact the admin)")), templ.WithStatus(http.StatusInternalServerError)).ServeHTTP(w, r)
 		return
 	}
 
-	ckie, err := r.Cookie(s.opts.CookieName)
+	ckie, err := r.Cookie(anubis.CookieName)
 	if err != nil {
 		lg.Debug("cookie not found", "path", r.URL.Path)
-		s.ClearCookie(w)
+		ClearCookie(w)
 		s.RenderIndex(w, r)
 		return
 	}
 
 	if err := ckie.Valid(); err != nil {
 		lg.Debug("cookie is invalid", "err", err)
-		s.ClearCookie(w)
+		ClearCookie(w)
 		s.RenderIndex(w, r)
 		return
 	}
 
 	if time.Now().After(ckie.Expires) && !ckie.Expires.IsZero() {
 		lg.Debug("cookie expired", "path", r.URL.Path)
-		s.ClearCookie(w)
+		ClearCookie(w)
 		s.RenderIndex(w, r)
 		return
 	}
@@ -275,7 +269,7 @@ func (s *Server) MaybeReverseProxy(w http.ResponseWriter, r *http.Request) {
 
 	if err != nil || !token.Valid {
 		lg.Debug("invalid token", "path", r.URL.Path, "err", err)
-		s.ClearCookie(w)
+		ClearCookie(w)
 		s.RenderIndex(w, r)
 		return
 	}
@@ -290,7 +284,7 @@ func (s *Server) MaybeReverseProxy(w http.ResponseWriter, r *http.Request) {
 	claims, ok := token.Claims.(jwt.MapClaims)
 	if !ok {
 		lg.Debug("invalid token claims type", "path", r.URL.Path)
-		s.ClearCookie(w)
+		ClearCookie(w)
 		s.RenderIndex(w, r)
 		return
 	}
@@ -298,7 +292,7 @@ func (s *Server) MaybeReverseProxy(w http.ResponseWriter, r *http.Request) {
 
 	if claims["challenge"] != challenge {
 		lg.Debug("invalid challenge", "path", r.URL.Path)
-		s.ClearCookie(w)
+		ClearCookie(w)
 		s.RenderIndex(w, r)
 		return
 	}
@@ -315,7 +309,7 @@ func (s *Server) MaybeReverseProxy(w http.ResponseWriter, r *http.Request) {
 	if subtle.ConstantTimeCompare([]byte(claims["response"].(string)), []byte(calculated)) != 1 {
 		lg.Debug("invalid response", "path", r.URL.Path)
 		failedValidations.Inc()
-		s.ClearCookie(w)
+		ClearCookie(w)
 		s.RenderIndex(w, r)
 		return
 	}
@@ -378,7 +372,7 @@ func (s *Server) PassChallenge(w http.ResponseWriter, r *http.Request) {
 
 	nonceStr := r.FormValue("nonce")
 	if nonceStr == "" {
-		s.ClearCookie(w)
+		ClearCookie(w)
 		lg.Debug("no nonce")
 		templ.Handler(web.Base("Oh noes!", web.ErrorPage("missing nonce")), templ.WithStatus(http.StatusInternalServerError)).ServeHTTP(w, r)
 		return
@@ -386,7 +380,7 @@ func (s *Server) PassChallenge(w http.ResponseWriter, r *http.Request) {
 
 	elapsedTimeStr := r.FormValue("elapsedTime")
 	if elapsedTimeStr == "" {
-		s.ClearCookie(w)
+		ClearCookie(w)
 		lg.Debug("no elapsedTime")
 		templ.Handler(web.Base("Oh noes!", web.ErrorPage("missing elapsedTime")), templ.WithStatus(http.StatusInternalServerError)).ServeHTTP(w, r)
 		return
@@ -394,7 +388,7 @@ func (s *Server) PassChallenge(w http.ResponseWriter, r *http.Request) {
 
 	elapsedTime, err := strconv.ParseFloat(elapsedTimeStr, 64)
 	if err != nil {
-		s.ClearCookie(w)
+		ClearCookie(w)
 		lg.Debug("elapsedTime doesn't parse", "err", err)
 		templ.Handler(web.Base("Oh noes!", web.ErrorPage("invalid elapsedTime")), templ.WithStatus(http.StatusInternalServerError)).ServeHTTP(w, r)
 		return
@@ -410,7 +404,7 @@ func (s *Server) PassChallenge(w http.ResponseWriter, r *http.Request) {
 
 	nonce, err := strconv.Atoi(nonceStr)
 	if err != nil {
-		s.ClearCookie(w)
+		ClearCookie(w)
 		lg.Debug("nonce doesn't parse", "err", err)
 		templ.Handler(web.Base("Oh noes!", web.ErrorPage("invalid nonce")), templ.WithStatus(http.StatusInternalServerError)).ServeHTTP(w, r)
 		return
@@ -420,7 +414,7 @@ func (s *Server) PassChallenge(w http.ResponseWriter, r *http.Request) {
 	calculated := internal.SHA256sum(calcString)
 
 	if subtle.ConstantTimeCompare([]byte(response), []byte(calculated)) != 1 {
-		s.ClearCookie(w)
+		ClearCookie(w)
 		lg.Debug("hash does not match", "got", response, "want", calculated)
 		templ.Handler(web.Base("Oh noes!", web.ErrorPage("invalid response")), templ.WithStatus(http.StatusForbidden)).ServeHTTP(w, r)
 		failedValidations.Inc()
@@ -429,7 +423,7 @@ func (s *Server) PassChallenge(w http.ResponseWriter, r *http.Request) {
 
 	// compare the leading zeroes
 	if !strings.HasPrefix(response, strings.Repeat("0", s.ChallengeDifficulty)) {
-		s.ClearCookie(w)
+		ClearCookie(w)
 		lg.Debug("difficulty check failed", "response", response, "difficulty", s.ChallengeDifficulty)
 		templ.Handler(web.Base("Oh noes!", web.ErrorPage("invalid response")), templ.WithStatus(http.StatusForbidden)).ServeHTTP(w, r)
 		failedValidations.Inc()
@@ -448,18 +442,17 @@ func (s *Server) PassChallenge(w http.ResponseWriter, r *http.Request) {
 	tokenString, err := token.SignedString(s.priv)
 	if err != nil {
 		lg.Error("failed to sign JWT", "err", err)
-		s.ClearCookie(w)
+		ClearCookie(w)
 		templ.Handler(web.Base("Oh noes!", web.ErrorPage("failed to sign JWT")), templ.WithStatus(http.StatusInternalServerError)).ServeHTTP(w, r)
 		return
 	}
 
 	http.SetCookie(w, &http.Cookie{
-		Name:        s.opts.CookieName,
-		Value:       tokenString,
-		Expires:     time.Now().Add(24 * 7 * time.Hour),
-		Domain:      s.opts.CookieDomain,
-		Partitioned: s.opts.CookiePartitioned,
-		SameSite:    http.SameSiteLaxMode,
+		Name:     anubis.CookieName,
+		Value:    tokenString,
+		Expires:  time.Now().Add(24 * 7 * time.Hour),
+		SameSite: http.SameSiteLaxMode,
+		Path:     "/",
 	})
 
 	challengesValidated.Inc()
author	Xe Iaso <me@xeiaso.net>	2025-03-26 20:50:54 -0400
committer	GitHub <noreply@github.com>	2025-03-26 20:50:54 -0400
commit	ecc6b47f90bd4ffc48d1555df8012d534fa5d180 (patch)
tree	75ec8d9ff574742387b5b93f205eb36250c652a2 /lib/anubis.go
parent	e7cbd349f3ff96788dc7a8540d29808ca72e1c44 (diff)
download	anubis-ecc6b47f90bd4ffc48d1555df8012d534fa5d180.tar.xz anubis-ecc6b47f90bd4ffc48d1555df8012d534fa5d180.zip