Make the httponly-ness of the cookies configurable

elspethsoup · elspethsoup · commit 44833d70a02f · 2016-09-19T17:51:51.000-05:00
default the configuration to false so that the default behavior matches
the previous behavior.
diff --git a/app/helpers/casino/sessions_helper.rb b/app/helpers/casino/sessions_helper.rb
@@ -39,7 +39,7 @@ def sign_in(authentication_result, options = {})
   end
 
   def set_tgt_cookie(tgt)
-    cookies[:tgt] = { value: tgt.ticket, httponly: true}.tap do |cookie|
+    cookies[:tgt] = { value: tgt.ticket, httponly: !!CASino.config.httponly_tgt_cookies }.tap do |cookie|
       if tgt.long_term?
         cookie[:expires] = CASino.config.ticket_granting_ticket[:lifetime_long_term].seconds.from_now
       end
diff --git a/lib/casino.rb b/lib/casino.rb
@@ -7,6 +7,7 @@ module CASino
   defaults = {
     authenticators: HashWithIndifferentAccess.new,
     require_service_rules: false,
+    httponly_tgt_cookies: false,
     logger: Rails.logger,
     frontend: HashWithIndifferentAccess.new(
       sso_name: 'CASino',
diff --git a/spec/controllers/sessions_controller_spec.rb b/spec/controllers/sessions_controller_spec.rb
@@ -258,6 +258,24 @@
             tgt = CASino::TicketGrantingTicket.last
             tgt.long_term.should == true
           end
+
+          it 'creates a cookie that is not httponly by default' do
+            post :create, params
+            controller.cookies['tgt']['httponly'].should be(false)
+          end
+
+          context 'when we are configured for http_only_tgt_cookies' do
+            before do
+              CASino.config.httponly_tgt_cookies = true
+            end
+            after do
+              CASino.config.httponly_tgt_cookies = false
+            end
+            it 'creates an httponly cookie' do
+              post :create, params
+              controller.cookies['tgt']['httponly'].should be(true)
+            end
+          end
         end
 
         context 'with two-factor authentication enabled' do
@@ -399,12 +417,6 @@
             ticket_granting_ticket.reload.should_not be_awaiting_two_factor_authentication
           end
 
-          it 'creates an httponly cookie' do
-            controller.stub(:cookies).and_return(HashWithIndifferentAccess.new)
-            post :validate_otp, params
-            controller.cookies['tgt']['httponly'].should be(true)
-          end
-
           context 'with a long-term ticket-granting ticket' do
             let(:cookie_jar) { HashWithIndifferentAccess.new }
 
