diff options
| -rw-r--r-- | ydb/mvp/oidc_proxy/context.cpp | 6 | ||||
| -rw-r--r-- | ydb/mvp/oidc_proxy/oidc_settings.h | 1 | ||||
| -rw-r--r-- | ydb/mvp/oidc_proxy/openid_connect.cpp | 4 |
3 files changed, 5 insertions, 6 deletions
diff --git a/ydb/mvp/oidc_proxy/context.cpp b/ydb/mvp/oidc_proxy/context.cpp index 678b3f7c318..364462ce350 100644 --- a/ydb/mvp/oidc_proxy/context.cpp +++ b/ydb/mvp/oidc_proxy/context.cpp @@ -25,10 +25,9 @@ TContext::TContext(const NHttp::THttpIncomingRequestPtr& request) {} TString TContext::GetState(const TString& key) const { - static const TDuration STATE_LIFE_TIME = TDuration::Minutes(10); TState payload; payload.AntiForgeryToken = State; - payload.ExpirationTime = TInstant::Now() + STATE_LIFE_TIME; + payload.ExpirationTime = TInstant::Now() + TOpenIdConnectSettings::DEFAULT_AUTH_STATE_LIFETIME; if (!NavigationRequest) { payload.CookieSuffix = TString(TOpenIdConnectSettings::YDB_OIDC_COOKIE_BACKGROUND_SUFFIX); } @@ -44,11 +43,10 @@ TString TContext::GetRequestedAddress() const { } TString TContext::CreateYdbOidcCookie(const TString& secret) const { - static constexpr size_t COOKIE_MAX_AGE_SEC = 3600; return TStringBuilder() << CreateNameYdbOidcCookie(NavigationRequest ? TStringBuf() : TOpenIdConnectSettings::YDB_OIDC_COOKIE_BACKGROUND_SUFFIX) << "=" << GenerateCookie(secret) << ";" " Path=" << GetAuthCallbackUrl() << ";" - " Max-Age=" << COOKIE_MAX_AGE_SEC << ";" + " Max-Age=" << TOpenIdConnectSettings::DEFAULT_AUTH_STATE_LIFETIME.Seconds() << ";" " SameSite=None; Secure"; } diff --git a/ydb/mvp/oidc_proxy/oidc_settings.h b/ydb/mvp/oidc_proxy/oidc_settings.h index a26f72366ab..81394bb775d 100644 --- a/ydb/mvp/oidc_proxy/oidc_settings.h +++ b/ydb/mvp/oidc_proxy/oidc_settings.h @@ -21,6 +21,7 @@ struct TOpenIdConnectSettings { static const inline TString DEFAULT_IMPERSONATE_URL_PATH = "/oauth2/impersonation/impersonate"; static constexpr inline TDuration DEFAULT_REQUEST_TIMEOUT = TDuration::Seconds(120); + static constexpr inline TDuration DEFAULT_AUTH_STATE_LIFETIME = TDuration::Minutes(10); static const TVector<TStringBuf> REQUEST_HEADERS_WHITE_LIST; static const TVector<TStringBuf> RESPONSE_HEADERS_WHITE_LIST; diff --git a/ydb/mvp/oidc_proxy/openid_connect.cpp b/ydb/mvp/oidc_proxy/openid_connect.cpp index c8470cbf570..58270c80d3a 100644 --- a/ydb/mvp/oidc_proxy/openid_connect.cpp +++ b/ydb/mvp/oidc_proxy/openid_connect.cpp @@ -134,14 +134,14 @@ const TString& GetAuthCallbackUrl() { TString CreateSecureCookie(const TString& name, const TString& value, const ui32 expiredSeconds) { TStringBuilder cookieBuilder; cookieBuilder << name << "=" << value - << "; Path=/; Secure; HttpOnly; SameSite=None; Partitioned" + << "; Path=/; Secure; HttpOnly; SameSite=None" << "; Max-Age=" << expiredSeconds; return cookieBuilder; } TString ClearSecureCookie(const TString& name) { TStringBuilder cookieBuilder; - cookieBuilder << name << "=; Path=/; Secure; HttpOnly; SameSite=None; Partitioned; Max-Age=0"; + cookieBuilder << name << "=; Path=/; Secure; HttpOnly; SameSite=None; Max-Age=0"; return cookieBuilder; } |