diff --git a/pkg/cookie/cookie.go b/pkg/cookie/cookie.go index c9ab508..e89c725 100644 --- a/pkg/cookie/cookie.go +++ b/pkg/cookie/cookie.go @@ -17,7 +17,6 @@ const ( var ( Login = login(DefaultPrefix) - LoginLegacy = loginLegacy(DefaultPrefix) Logout = logout(DefaultPrefix) Session = session(DefaultPrefix) ErrInvalidValue = errors.New("invalid value") @@ -163,7 +162,6 @@ func ClearLegacyCookies(w http.ResponseWriter, opts Options) { func ConfigureCookieNamesWithPrefix(prefix string) { Login = login(prefix) - LoginLegacy = loginLegacy(prefix) Logout = logout(prefix) Session = session(prefix) } @@ -176,10 +174,6 @@ func login(prefix string) string { return withPrefix(prefix, "callback") } -func loginLegacy(prefix string) string { - return withPrefix(prefix, "callback.legacy") -} - func logout(prefix string) string { return withPrefix(prefix, "logout") } diff --git a/pkg/cookie/cookie_test.go b/pkg/cookie/cookie_test.go index 8452e69..2f797d7 100644 --- a/pkg/cookie/cookie_test.go +++ b/pkg/cookie/cookie_test.go @@ -195,13 +195,11 @@ func TestCookie_Decrypt(t *testing.T) { func TestCookieNames(t *testing.T) { assert.Equal(t, "io.nais.wonderwall.callback", cookie.Login) - assert.Equal(t, "io.nais.wonderwall.callback.legacy", cookie.LoginLegacy) assert.Equal(t, "io.nais.wonderwall.logout", cookie.Logout) assert.Equal(t, "io.nais.wonderwall.session", cookie.Session) cookie.ConfigureCookieNamesWithPrefix("some-prefix") assert.Equal(t, "some-prefix.callback", cookie.Login) - assert.Equal(t, "some-prefix.callback.legacy", cookie.LoginLegacy) assert.Equal(t, "some-prefix.logout", cookie.Logout) assert.Equal(t, "some-prefix.session", cookie.Session) } diff --git a/pkg/handler/handler.go b/pkg/handler/handler.go index 305ad60..8e2dad0 100644 --- a/pkg/handler/handler.go +++ b/pkg/handler/handler.go @@ -178,14 +178,10 @@ func (s *Standalone) LoginCallback(w http.ResponseWriter, r *http.Request) { // unconditionally clear login cookies cookie.Clear(w, cookie.Login, opts.WithSameSite(http.SameSiteLaxMode)) - cookie.Clear(w, cookie.LoginLegacy, opts.WithSameSite(http.SameSiteDefaultMode)) loginCookie, err := openid.GetLoginCookie(r, s.Crypter) if err != nil { - msg := "callback: fetching login cookie" - if errors.Is(err, http.ErrNoCookie) { - msg += ": fallback cookie not found (user might have blocked all cookies, or the callback route was accessed before the login route)" - } + msg := "callback: fetching login cookie (user might have blocked all cookies, or the callback route was accessed before the login route)" s.Unauthorized(w, r, fmt.Errorf("%s: %w", msg, err)) return } diff --git a/pkg/handler/handler_test.go b/pkg/handler/handler_test.go index c4da1eb..ff6d844 100644 --- a/pkg/handler/handler_test.go +++ b/pkg/handler/handler_test.go @@ -79,11 +79,9 @@ func TestLoginPrompt(t *testing.T) { cookies := rpClient.Jar.Cookies(loginURL) sessionCookie := getCookieFromJar(cookie.Session, cookies) loginCookie := getCookieFromJar(cookie.Login, cookies) - loginLegacyCookie := getCookieFromJar(cookie.LoginLegacy, cookies) assert.Nil(t, sessionCookie) assert.NotNil(t, loginCookie) - assert.NotNil(t, loginLegacyCookie) // verify session deleted sess = sessionInfo(t, idp, rpClient) @@ -539,11 +537,9 @@ func localLogin(t *testing.T, rpClient *http.Client, idp *mock.IdentityProvider) cookies := rpClient.Jar.Cookies(loginURL) sessionCookie := getCookieFromJar(cookie.Session, cookies) loginCookie := getCookieFromJar(cookie.Login, cookies) - loginLegacyCookie := getCookieFromJar(cookie.LoginLegacy, cookies) assert.Nil(t, sessionCookie) assert.NotNil(t, loginCookie) - assert.NotNil(t, loginLegacyCookie) return resp } @@ -569,11 +565,9 @@ func callback(t *testing.T, rpClient *http.Client, authorizeResponse response) * cookies := rpClient.Jar.Cookies(callbackURL) sessionCookie := getCookieFromJar(cookie.Session, cookies) loginCookie := getCookieFromJar(cookie.Login, cookies) - loginLegacyCookie := getCookieFromJar(cookie.LoginLegacy, cookies) assert.NotNil(t, sessionCookie) assert.Nil(t, loginCookie) - assert.Nil(t, loginLegacyCookie) return sessionCookie } diff --git a/pkg/middleware/logentry.go b/pkg/middleware/logentry.go index fcad597..22bdf13 100644 --- a/pkg/middleware/logentry.go +++ b/pkg/middleware/logentry.go @@ -147,7 +147,6 @@ func isRelevantCookie(name string) bool { switch name { case cookie.Session, cookie.Login, - cookie.LoginLegacy, cookie.Logout: return true } diff --git a/pkg/openid/client/login.go b/pkg/openid/client/login.go index 9f194c7..07699d5 100644 --- a/pkg/openid/client/login.go +++ b/pkg/openid/client/login.go @@ -129,18 +129,7 @@ func (l *Login) SetCookie(w http.ResponseWriter, opts cookie.Options, crypter cr value := string(loginCookieJson) - err = cookie.EncryptAndSet(w, cookie.Login, value, opts, crypter) - if err != nil { - return err - } - - // set a duplicate cookie without the SameSite value set for user agents that do not properly handle SameSite - err = cookie.EncryptAndSet(w, cookie.LoginLegacy, value, opts.WithSameSite(http.SameSiteDefaultMode), crypter) - if err != nil { - return err - } - - return nil + return cookie.EncryptAndSet(w, cookie.Login, value, opts, crypter) } func getAcrParam(c *Client, r *http.Request) (string, error) { diff --git a/pkg/openid/cookies.go b/pkg/openid/cookies.go index 881ed29..cb50de4 100644 --- a/pkg/openid/cookies.go +++ b/pkg/openid/cookies.go @@ -7,7 +7,6 @@ import ( "github.com/nais/wonderwall/pkg/cookie" "github.com/nais/wonderwall/pkg/crypto" - "github.com/nais/wonderwall/pkg/middleware" ) type LoginCookie struct { @@ -27,12 +26,7 @@ type LogoutCookie struct { func GetLoginCookie(r *http.Request, crypter crypto.Crypter) (*LoginCookie, error) { loginCookieJson, err := cookie.GetDecrypted(r, cookie.Login, crypter) if err != nil { - middleware.LogEntryFrom(r).Debugf("failed to fetch login cookie: %+v; falling back to legacy cookie", err) - - loginCookieJson, err = cookie.GetDecrypted(r, cookie.LoginLegacy, crypter) - if err != nil { - return nil, err - } + return nil, err } var loginCookie LoginCookie