Skip to content

fix: use GetSecret() in ticket.go makeCookie to respect cookie-secret-file #3228

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
tuunit merged 4 commits into from
Oct 28, 2025
Merged

fix: use GetSecret() in ticket.go makeCookie to respect cookie-secret-file #3228

tuunit merged 4 commits into from
Oct 28, 2025

Conversation

@stagswtf
Copy link
Contributor

@stagswtf stagswtf commented Oct 9, 2025

The makeCookie method in ticket.go was using t.options.Secret directly, which meant cookie-secret-file was not being respected. Updated to use GetSecret() which handles both cookie-secret and cookie-secret-file properly.

Also added test coverage for cookie-secret-file functionality.

Fixes #3224

Description

The makeCookie method in ticket.go was directly accessing t.options.Secret when signing cookie values. This meant that when users configured a cookie-secret-file, the secret from the file was not being used.

Changes made:

  • Updated makeCookie to use t.options.GetSecret() which properly handles both cookie-secret and cookie-secret-file
  • Added test coverage in session_store_tests.go to verify cookie signing works with secrets loaded from files

Motivation and Context

When users configure oauth2-proxy with cookie-secret-file, they expect the secret from that file to be used for all cookie operations. However, due to this bug, the makeCookie method was bypassing the file-based secret mechanism and only using the direct secret value.

This fixes issue #3224 where it was reported that cookie signing was broken when using cookie-secret-file.

How Has This Been Tested?

  • Added a new test context "with cookie secret file" to the session store test suite
  • Test creates a temporary file with a random 32-byte secret
  • Verifies that session store operations work correctly when using only cookie-secret-file (with empty Secret)
  • All existing tests continue to pass with no modifications needed
  • Ran the full test suite with Go 1.24.6 on Linux

Checklist:

  • My change requires a change to the documentation or CHANGELOG.
  • I have updated the documentation/CHANGELOG accordingly.
  • I have created a feature (non-master) branch for my PR.
  • I have written tests for my code changes.

@stagswtf stagswtf requested a review from a team as a code owner October 9, 2025 19:31
@stagswtf stagswtf force-pushed the fix/use-secret-file branch from 9d78e57 to 755d226 Compare October 9, 2025 19:38
@stagswtf
Copy link
Contributor Author

stagswtf commented Oct 9, 2025

I think I am done here, but let me know.

@stagswtf
Copy link
Contributor Author

stagswtf commented Oct 14, 2025

How do i make the build step happen?

@pixeldrew
Copy link
Contributor

pixeldrew commented Oct 24, 2025

Need this fix. Docker compose secrets not working if you want your cookie secret as a docker secret

@tuunit tuunit changed the title Fix/use secret file fix: use GetSecret() in ticket.go makeCookie to respect cookie-secret-file Oct 28, 2025
tuunit
tuunit requested changes Oct 28, 2025
View reviewed changes
Copy link
Member

@tuunit tuunit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Small nitpick. The rest looks good to me

stagswtf and others added 4 commits October 28, 2025 08:27
@stagswtf @tuunit
fix: use GetSecret() in ticket.go makeCookie
349d98c 
The makeCookie method in ticket.go was using t.options.Secret directly, which
meant cookie-secret-file was not being respected. Updated to use GetSecret()
which handles both cookie-secret and cookie-secret-file properly.

Also added test coverage for cookie-secret-file functionality.

Fixes oauth2-proxy#3224

Signed-off-by: stagswtf <142280349+stagswtf@users.noreply.github.com>
@stagswtf @tuunit
docs: update CHANGELOG.md for cookie-secret-file fix
d2d6ed3 
Signed-off-by: stagswtf <142280349+stagswtf@users.noreply.github.com>
@stagswtf @tuunit
correct PR link and undo file formatting
9d36542 
Signed-off-by: stagswtf <142280349+stagswtf@users.noreply.github.com>
@tuunit
fix: error wrapping
293521a 
Signed-off-by: Jan Larwig <jan@larwig.com>
@tuunit tuunit force-pushed the fix/use-secret-file branch from 14b14d8 to 293521a Compare October 28, 2025 07:29
@tuunit tuunit merged commit 51e80f2 into oauth2-proxy:master Oct 28, 2025
4 checks passed
@BrewTestBot BrewTestBot mentioned this pull request Nov 8, 2025
Merged
@github-actions github-actions bot mentioned this pull request Nov 9, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tuunit tuunit tuunit approved these changes

Assignees

No one assigned

Labels

docs go

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

cookie_secret_file option fails when validating cookies

3 participants

@stagswtf @pixeldrew @tuunit