Cookie API now supports the SameSite parameter.

imeszaros · imeszaros · commit bd4f21dab2f4 · 2020-09-20T12:08:08.000+02:00
diff --git a/jooby/src/main/java/io/jooby/Cookie.java b/jooby/src/main/java/io/jooby/Cookie.java
@@ -69,6 +69,14 @@ public class Cookie {
    */
   private long maxAge = -1;
 
+  /**
+   * Value for the 'SameSite' cookie attribute.
+   *
+   * @see <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite">
+   *   https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite</a>
+   */
+  private SameSite sameSite;
+
   /**
    * Creates a response cookie.
    *
@@ -97,6 +105,7 @@ private Cookie(@Nonnull Cookie cookie) {
     this.path = cookie.path;
     this.secure = cookie.secure;
     this.httpOnly = cookie.httpOnly;
+    this.sameSite = cookie.sameSite;
   }
 
   /**
@@ -238,12 +247,19 @@ public boolean isSecure() {
   }
 
   /**
-   * Set cookie secure flag..
+   * Set cookie secure flag.
    *
    * @param secure Cookie's secure.
    * @return This cookie.
+   * @throws IllegalArgumentException if {@code false} is specified and the 'SameSite'
+   * attribute value requires a secure cookie.
    */
   public @Nonnull Cookie setSecure(boolean secure) {
+    if (sameSite != null && sameSite.requiresSecure() && !secure) {
+      throw new IllegalArgumentException("Cookies with SameSite=" + sameSite.getValue()
+          + " must be flagged as Secure. Call Cookie.setSameSite(...) with an argument"
+          + " allowing non-secure cookies before calling Cookie.setSecure(false).");
+    }
     this.secure = secure;
     return this;
   }
@@ -297,6 +313,60 @@ public long getMaxAge() {
     return this;
   }
 
+  /**
+   * Returns the value for the 'SameSite' parameter.
+   * <ul>
+   *   <li>{@link SameSite#LAX} - Cookies are allowed to be sent with top-level navigations and
+   *   will be sent along with GET request initiated by third party website. This is the default
+   *   value in modern browsers.</li>
+   *   <li>{@link SameSite#STRICT} - Cookies will only be sent in a first-party context and not be
+   *   sent along with requests initiated by third party websites.</li>
+   *   <li>{@link SameSite#NONE} - Cookies will be sent in all contexts, i.e sending cross-origin
+   *   is allowed. Requires the {@code Secure} attribute in latest browser versions.</li>
+   *   <li>{@code null} - Not specified.</li>
+   * </ul>
+   *
+   * @return the value for 'SameSite' parameter.
+   * @see #setSecure(boolean)
+   * @see <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite">
+   *   https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite</a>
+   */
+  @Nullable
+  public SameSite getSameSite() {
+    return sameSite;
+  }
+
+  /**
+   * Sets the value for the 'SameSite' parameter.
+   * <ul>
+   *   <li>{@link SameSite#LAX} - Cookies are allowed to be sent with top-level navigations and
+   *   will be sent along with GET request initiated by third party website. This is the default
+   *   value in modern browsers.</li>
+   *   <li>{@link SameSite#STRICT} - Cookies will only be sent in a first-party context and not be
+   *   sent along with requests initiated by third party websites.</li>
+   *   <li>{@link SameSite#NONE} - Cookies will be sent in all contexts, i.e sending cross-origin
+   *   is allowed. Requires the {@code Secure} attribute in latest browser versions.</li>
+   *   <li>{@code null} - Not specified.</li>
+   * </ul>
+   *
+   * @param sameSite the value for the 'SameSite' parameter.
+   * @return this instance.
+   * @throws IllegalArgumentException if a value requiring a secure cookie is specified and this
+   * cookie is not flagged as secure.
+   * @see #setSecure(boolean)
+   * @see <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite">
+   *   https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite</a>
+   */
+  public Cookie setSameSite(@Nullable SameSite sameSite) {
+    if (sameSite != null && sameSite.requiresSecure() && !isSecure()) {
+      throw new IllegalArgumentException("Cookies with SameSite=" + sameSite.getValue()
+          + " must be flagged as Secure. Call Cookie.setSecure(true)"
+          + " before calling Cookie.setSameSite(...).");
+    }
+    this.sameSite = sameSite;
+    return this;
+  }
+
   @Override public String toString() {
     StringBuilder buff = new StringBuilder();
     buff.append(name).append("=");
@@ -334,6 +404,12 @@ public long getMaxAge() {
       append(sb, domain);
     }
 
+    // SameSite
+    if (sameSite != null) {
+      sb.append(";SameSite=");
+      append(sb, sameSite.getValue());
+    }
+
     // Secure
     if (secure) {
       sb.append(";Secure");
@@ -491,6 +567,8 @@ public long getMaxAge() {
       value(conf, namespace + ".httpOnly", Config::getBoolean, cookie::setHttpOnly);
       value(conf, namespace + ".maxAge", (c, path) -> c.getDuration(path, TimeUnit.SECONDS),
           cookie::setMaxAge);
+      value(conf, namespace + ".sameSite", (c, path) -> SameSite.of(c.getString(path)),
+          cookie::setSameSite);
       return Optional.of(cookie);
     }
     return Optional.empty();
diff --git a/jooby/src/main/java/io/jooby/SameSite.java b/jooby/src/main/java/io/jooby/SameSite.java
@@ -0,0 +1,74 @@
+package io.jooby;
+
+import static java.util.Arrays.stream;
+import static java.util.stream.Collectors.joining;
+
+/**
+ * The SameSite attribute of the Set-Cookie HTTP response header allows you to declare
+ * if your cookie should be restricted to a first-party or same-site context.
+ *
+ * @see <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite">
+ *   https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite</a>
+ */
+public enum SameSite {
+
+  /**
+   * Cookies are allowed to be sent with top-level navigations and will be sent along with
+   * GET request initiated by third party website. This is the default value in modern browsers.
+   */
+  LAX("Lax"),
+
+  /**
+   * Cookies will only be sent in a first-party context and not be sent along with
+   * requests initiated by third party websites.
+   */
+  STRICT("Strict"),
+
+  /**
+   * Cookies will be sent in all contexts, i.e sending cross-origin is allowed.
+   * Requires the {@code Secure} attribute in latest browser versions.
+   */
+  NONE("None");
+
+  SameSite(String value) {
+    this.value = value;
+  }
+
+  private final String value;
+
+  /**
+   * Returns the parameter value used in {@code Set-Cookie}.
+   *
+   * @return the parameter value.
+   */
+  public String getValue() {
+    return value;
+  }
+
+  /**
+   * Returns whether this value requires the cookie to be flagged as {@code Secure}.
+   *
+   * @return {@code true} if the cookie should be secure.
+   */
+  public boolean requiresSecure() {
+    return this == NONE;
+  }
+
+  /**
+   * Returns an instance of this class based on value it uses in {@code Set-Cookie}.
+   *
+   * @param value the value.
+   * @return an instance of this class.
+   * @see #getValue()
+   * @throws IllegalArgumentException if an invalid value is specified.
+   */
+  public static SameSite of(String value) {
+    return stream(values())
+        .filter(v -> v.getValue().equals(value))
+        .findFirst()
+        .orElseThrow(() -> new IllegalArgumentException("Invalid SameSite value '"
+            + value + "'. Use one of: " + stream(values())
+            .map(SameSite::getValue)
+            .collect(joining(", "))));
+  }
+}
diff --git a/jooby/src/test/java/io/jooby/CookieTest.java b/jooby/src/test/java/io/jooby/CookieTest.java
@@ -1,9 +1,12 @@
 package io.jooby;
 
 import com.google.common.collect.ImmutableMap;
+import com.typesafe.config.ConfigFactory;
 import org.junit.jupiter.api.Test;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 
 public class CookieTest {
 
@@ -38,4 +41,70 @@ public void signUnsign() {
     assertEquals("foo=bar&x=u iq", Cookie
         .unsign("RcFzlzECN2Lv32Ie9jfSWVr13j6OjllJwDDZe4mVS4c|foo=bar&x=u iq", "987654345!$009P"));
   }
+
+  @Test
+  public void testCreateSameSite() {
+    assertEquals(SameSite.LAX, Cookie.create("mycookie",
+        ConfigFactory.parseMap(ImmutableMap.of(
+            "mycookie.name", "foo",
+            "mycookie.value", "bar",
+            "mycookie.sameSite", "Lax")))
+        .map(Cookie::getSameSite)
+        .orElse(null));
+
+    assertEquals(SameSite.NONE, Cookie.create("mycookie",
+        ConfigFactory.parseMap(ImmutableMap.of(
+            "mycookie.name", "foo",
+            "mycookie.value", "bar",
+            "mycookie.sameSite", "None",
+            "mycookie.secure", true)))
+        .map(Cookie::getSameSite)
+        .orElse(null));
+
+    Throwable t1 = assertThrows(IllegalArgumentException.class, () -> Cookie.create("mycookie",
+        ConfigFactory.parseMap(ImmutableMap.of(
+            "mycookie.name", "foo",
+            "mycookie.value", "bar",
+            "mycookie.sameSite", "None"))));
+
+    assertEquals("Cookies with SameSite=None"
+        + " must be flagged as Secure. Call Cookie.setSecure(true)"
+        + " before calling Cookie.setSameSite(...).", t1.getMessage());
+
+    Throwable t2 = assertThrows(IllegalArgumentException.class, () -> Cookie.create("mycookie",
+        ConfigFactory.parseMap(ImmutableMap.of(
+            "mycookie.name", "foo",
+            "mycookie.value", "bar",
+            "mycookie.sameSite", "Cheese"))));
+
+    assertEquals("Invalid SameSite value 'Cheese'. Use one of: Lax, Strict, None", t2.getMessage());
+  }
+
+  @Test
+  public void testSameSiteVsSecure() {
+    Cookie cookie = new Cookie("foo", "bar");
+
+    Throwable t1 = assertThrows(IllegalArgumentException.class, () -> cookie.setSameSite(SameSite.NONE));
+
+    assertEquals("Cookies with SameSite=None"
+        + " must be flagged as Secure. Call Cookie.setSecure(true)"
+        + " before calling Cookie.setSameSite(...).", t1.getMessage());
+
+    cookie.setSecure(true);
+    cookie.setSameSite(SameSite.NONE);
+
+    assertEquals(SameSite.NONE, cookie.getSameSite());
+
+
+    Throwable t2 = assertThrows(IllegalArgumentException.class, () -> cookie.setSecure(false));
+
+    assertEquals("Cookies with SameSite=" + cookie.getSameSite().getValue()
+        + " must be flagged as Secure. Call Cookie.setSameSite(...) with an argument"
+        + " allowing non-secure cookies before calling Cookie.setSecure(false).", t2.getMessage());
+
+    cookie.setSameSite(null);
+    cookie.setSecure(false);
+
+    assertFalse(cookie.isSecure());
+  }
 }
diff --git a/tests/src/test/java/io/jooby/FeaturedTest.java b/tests/src/test/java/io/jooby/FeaturedTest.java
@@ -1772,6 +1772,15 @@ public void cookies(ServerTestRunner runner) {
             .setResponseCookie(cookie)
             .send(StatusCode.OK);
       });
+
+      app.get("/same-site", ctx -> {
+        Cookie cookie = new Cookie("foo", "bar")
+            .setSecure(ctx.query("secure").booleanValue(false))
+            .setSameSite(ctx.query("sameSite").toOptional().map(SameSite::of).orElse(null));
+        return ctx
+            .setResponseCookie(cookie)
+            .send(StatusCode.OK);
+      });
     }).ready(client -> {
       client.get("/cookies", response -> {
         assertEquals("{}", response.body().string());
@@ -1823,6 +1832,26 @@ public void cookies(ServerTestRunner runner) {
         // Give it -/+5
         assertTrue(minutes >= 25 && minutes <= 35);
       });
+      client.get("/same-site", response -> {
+        // browser session
+        assertEquals("[foo=bar;Path=/]", response.headers("Set-Cookie").toString());
+      });
+      client.get("/same-site?sameSite=Lax", response -> {
+        // browser session
+        assertEquals("[foo=bar;Path=/;SameSite=Lax]", response.headers("Set-Cookie").toString());
+      });
+      client.get("/same-site?sameSite=Strict", response -> {
+        // browser session
+        assertEquals("[foo=bar;Path=/;SameSite=Strict]", response.headers("Set-Cookie").toString());
+      });
+      client.get("/same-site?sameSite=None&secure=true", response -> {
+        // browser session
+        assertEquals("[foo=bar;Path=/;SameSite=None;Secure]", response.headers("Set-Cookie").toString());
+      });
+      client.get("/same-site?sameSite=None", response -> {
+        // browser session
+        assertEquals(400, response.code());
+      });
     });
   }
 
