diff --git a/src/main/java/gov/cabinetoffice/gapuserservice/util/WebUtil.java b/src/main/java/gov/cabinetoffice/gapuserservice/util/WebUtil.java index 76a3ecf2..c455f043 100644 --- a/src/main/java/gov/cabinetoffice/gapuserservice/util/WebUtil.java +++ b/src/main/java/gov/cabinetoffice/gapuserservice/util/WebUtil.java @@ -36,6 +36,15 @@ public static Cookie buildSecureCookie(final String name, final String value) { return cookie; } + public static Cookie buildSecureCookie(final String name, final String value, final String domain) { + final Cookie cookie = new Cookie(name, value); + cookie.setSecure(true); + cookie.setHttpOnly(true); + cookie.setDomain(domain); + cookie.setPath("/"); + return cookie; + } + public static Cookie buildSecureCookie(final String name, final String value, final Integer maxAge) { final Cookie cookie = buildSecureCookie(name, value); cookie.setMaxAge(maxAge); diff --git a/src/main/java/gov/cabinetoffice/gapuserservice/web/LoginControllerV2.java b/src/main/java/gov/cabinetoffice/gapuserservice/web/LoginControllerV2.java index 81efe8b6..a4b2ef01 100644 --- a/src/main/java/gov/cabinetoffice/gapuserservice/web/LoginControllerV2.java +++ b/src/main/java/gov/cabinetoffice/gapuserservice/web/LoginControllerV2.java @@ -71,6 +71,9 @@ public class LoginControllerV2 { @Value("${jwt.cookie-name}") public String userServiceCookieName; + @Value("${jwt.cookie-domain") + public String userServiceCookieDomain; + @Value("${admin-base-url}") private String adminBaseUrl; @@ -248,7 +251,7 @@ private Cookie addCustomJwtCookie(final HttpServletResponse response, final boolean isAdmin) { final Map customJwtClaims = oneLoginService.generateCustomJwtClaims(userInfo, idToken); final String customServiceJwt = customJwtService.generateToken(customJwtClaims, isAdmin); - final Cookie customJwt = WebUtil.buildSecureCookie(userServiceCookieName, customServiceJwt); + final Cookie customJwt = WebUtil.buildSecureCookie(userServiceCookieName, customServiceJwt, userServiceCookieDomain); response.addCookie(customJwt); return customJwt; } diff --git a/src/test/java/gov/cabinetoffice/gapuserservice/web/LoginControllerV2Test.java b/src/test/java/gov/cabinetoffice/gapuserservice/web/LoginControllerV2Test.java index 830f4c88..abf25a84 100644 --- a/src/test/java/gov/cabinetoffice/gapuserservice/web/LoginControllerV2Test.java +++ b/src/test/java/gov/cabinetoffice/gapuserservice/web/LoginControllerV2Test.java @@ -91,6 +91,7 @@ void setUp() { loginController = new LoginControllerV2(oneLoginService, customJwtService, configProperties, encryptionService, oneLoginUserService, findProperties, loggingUtils); ReflectionTestUtils.setField(loginController, "userServiceCookieName", "userServiceCookieName"); + ReflectionTestUtils.setField(loginController, "userServiceCookieDomain", "userServiceCookieDomain"); ReflectionTestUtils.setField(loginController, "adminBaseUrl", "http:localhost:3000/adminBaseUrl"); ReflectionTestUtils.setField(loginController, "applicantBaseUrl", "http:localhost:3000/applicantBaseUrl"); ReflectionTestUtils.setField(loginController, "techSupportAppBaseUrl", "http:localhost:3000/techSupportAppBaseUrl"); @@ -290,7 +291,7 @@ void shouldCreateJwtCookie() throws JSONException { final String customToken = "a-custom-valid-token"; final HttpServletResponse response = Mockito.spy(new MockHttpServletResponse()); final Map claims = Map.of("claim1", "value1", "claim2", "value2"); - final Cookie cookie = WebUtil.buildSecureCookie("userServiceCookieName", "jwtToken"); + final Cookie cookie = WebUtil.buildSecureCookie("userServiceCookieName", "jwtToken", "userServiceCookieDomain"); final JSONObject tokenResponse = new JSONObject(); tokenResponse.put("id_token", idToken).put("access_token", accessToken);