Rewrite cookie path logic

Before we relied on the client to resolve the base given to it by the
backend against the path.

Instead have the client pass that information along so we can resolve it
on the backend.  This means the client has to do less work.

Author: code-asher

src/browser/pages/login.html

@@ -30,7 +30,8 @@ <h1 class="main">Welcome to code-server</h1>
         <div class="content">
           <form class="login-form" method="post">
             <input class="user" type="text" autocomplete="username" />
-            <input id="base" type="hidden" name="base" value="/" />
+            <input id="base" type="hidden" name="base" value="{{BASE}}" />
+            <input id="href" type="hidden" name="href" value="" />
             <div class="field">
               <input
                 required
@@ -51,9 +52,9 @@ <h1 class="main">Welcome to code-server</h1>
     <script>
       // Inform the backend about the path since the proxy might have rewritten
       // it out of the headers and cookies must be set with absolute paths.
-      const el = document.getElementById("base")
+      const el = document.getElementById("href")
       if (el) {
-        el.value = window.location.pathname
+        el.value = location.href
       }
     </script>
   </body>

src/node/http.ts

@@ -255,3 +255,36 @@ export function disposer(server: http.Server): Disposable["dispose"] {
     })
   }
 }
+
+/**
+ * Get the options for setting a cookie.  The options must be identical for
+ * setting and unsetting cookies otherwise they are considered separate.
+ */
+export const getCookieOptions = (req: express.Request): express.CookieOptions => {
+  // Normally we set paths relatively.  However browsers do not appear to allow
+  // cookies to be set relatively which means we need an absolute path.  We
+  // cannot be guaranteed we know the path since a reverse proxy might have
+  // rewritten it.  That means we need to get the path from the frontend.
+
+  // The reason we need to set the path (as opposed to defaulting to /) is to
+  // avoid code-server instances on different sub-paths clobbering each other or
+  // from accessing each other's tokens (and to prevent other services from
+  // accessing code-server's tokens).
+
+  // When logging in or out the request must include the href (the full current
+  // URL of that page) and the relative path to the root as given to it by the
+  // backend.  Using these two we can determine the true absolute root.
+  let domain = req.headers.host || ""
+  let pathname = "/"
+  const href = req.query.href || req.body.href
+  if (href) {
+    const url = new URL(req.query.base || req.body.base || "/", href)
+    domain = url.host
+    pathname = url.pathname
+  }
+  return {
+    domain: getCookieDomain(domain, req.args["proxy-domain"]),
+    path: normalize(pathname) || "/",
+    sameSite: "lax",
+  }
+}

src/node/routes/login.ts

@@ -5,7 +5,7 @@ import * as os from "os"
 import * as path from "path"
 import { CookieKeys } from "../../common/http"
 import { rootPath } from "../constants"
-import { authenticated, getCookieDomain, redirect, replaceTemplates } from "../http"
+import { authenticated, getCookieOptions, redirect, replaceTemplates } from "../http"
 import { getPasswordMethod, handlePasswordValidation, humanPath, sanitizeString, escapeHtml } from "../util"
 
 // RateLimiter wraps around the limiter library for logins.
@@ -84,15 +84,7 @@ router.post<{}, string, { password: string; base?: string }, { to?: string }>("/
     if (isPasswordValid) {
       // The hash does not add any actual security but we do it for
       // obfuscation purposes (and as a side effect it handles escaping).
-      res.cookie(CookieKeys.Session, hashedPassword, {
-        domain: getCookieDomain(req.headers.host || "", req.args["proxy-domain"]),
-        // Browsers do not appear to allow cookies to be set relatively so we
-        // need to get the root path from the browser since the proxy rewrites
-        // it out of the path.  Otherwise code-server instances hosted on
-        // separate sub-paths will clobber each other.
-        path: req.body.base ? path.posix.join(req.body.base, "..", "/") : "/",
-        sameSite: "lax",
-      })
+      res.cookie(CookieKeys.Session, hashedPassword, getCookieOptions(req))
 
       const to = (typeof req.query.to === "string" && req.query.to) || "/"
       return redirect(req, res, to, { to: undefined })

src/node/routes/logout.ts

@@ -1,21 +1,14 @@
 import { Router } from "express"
 import { CookieKeys } from "../../common/http"
-import { getCookieDomain, redirect } from "../http"
-
+import { getCookieOptions, redirect } from "../http"
 import { sanitizeString } from "../util"
 
 export const router = Router()
 
 router.get<{}, undefined, undefined, { base?: string; to?: string }>("/", async (req, res) => {
-  const path = sanitizeString(req.query.base) || "/"
-  const to = sanitizeString(req.query.to) || "/"
-
   // Must use the *identical* properties used to set the cookie.
-  res.clearCookie(CookieKeys.Session, {
-    domain: getCookieDomain(req.headers.host || "", req.args["proxy-domain"]),
-    path: decodeURIComponent(path),
-    sameSite: "lax",
-  })
+  res.clearCookie(CookieKeys.Session, getCookieOptions(req))
 
-  return redirect(req, res, to, { to: undefined, base: undefined })
+  const to = sanitizeString(req.query.to) || "/"
+  return redirect(req, res, to, { to: undefined, base: undefined, href: undefined })
 })

src/node/util.ts

@@ -324,7 +324,7 @@ export async function isCookieValid({
 export function sanitizeString(str: unknown): string {
   // Very basic sanitization of string
   // Credit: https://stackoverflow.com/a/46719000/3015595
-  return typeof str === "string" && str.trim().length > 0 ? str.trim() : ""
+  return typeof str === "string" ? str.trim() : ""
 }
 
 const mimeTypes: { [key: string]: string } = {

vendor/package.json

@@ -7,6 +7,6 @@
     "postinstall": "./postinstall.sh"
   },
   "devDependencies": {
-    "code-oss-dev": "cdr/vscode#c2a251c6afaa13fbebf97fcd8a68192f8cf46031"
+    "code-oss-dev": "cdr/vscode#478224aa345e9541f2427b30142dd13ee7e14d39"
   }
 }

vendor/yarn.lock

@@ -296,9 +296,9 @@ clone-response@^1.0.2:
   dependencies:
     mimic-response "^1.0.0"
 
-code-oss-dev@cdr/vscode#c2a251c6afaa13fbebf97fcd8a68192f8cf46031:
+code-oss-dev@cdr/vscode#478224aa345e9541f2427b30142dd13ee7e14d39:
   version "1.61.1"
-  resolved "https://codeload.github.com/cdr/vscode/tar.gz/c2a251c6afaa13fbebf97fcd8a68192f8cf46031"
+  resolved "https://codeload.github.com/cdr/vscode/tar.gz/478224aa345e9541f2427b30142dd13ee7e14d39"
   dependencies:
     "@microsoft/applicationinsights-web" "^2.6.4"
     "@vscode/sqlite3" "4.0.12"