Merge pull request #4015 from appare45/set-cookie-with-baseurl

backend: auth: Include baseURL in Cookie Path

Author: k8s-ci-robot

backend/cmd/headlamp.go

@@ -755,7 +755,7 @@ func createHeadlampHandler(config *HeadlampConfig) http.Handler {
 			}
 
 			// Set auth cookie
-			auth.SetTokenCookie(w, r, string(decodedState), rawUserToken)
+			auth.SetTokenCookie(w, r, string(decodedState), rawUserToken, config.BaseURL)
 
 			redirectURL += fmt.Sprintf("auth?cluster=%1s", decodedState)
 			http.Redirect(w, r, redirectURL, http.StatusSeeOther)
@@ -841,7 +841,7 @@ func (c *HeadlampConfig) refreshAndSetToken(oidcAuthConfig *kubeconfig.OidcConfi
 		}
 
 		// Set refreshed token in cookie
-		auth.SetTokenCookie(w, r, cluster, newTokenString)
+		auth.SetTokenCookie(w, r, cluster, newTokenString, c.BaseURL)
 
 		c.telemetryHandler.RecordEvent(span, "Token refreshed successfully")
 	}
@@ -2333,9 +2333,9 @@ func (c *HeadlampConfig) handleSetToken(w http.ResponseWriter, r *http.Request)
 	}
 
 	if req.Token == "" {
-		auth.ClearTokenCookie(w, r, cluster)
+		auth.ClearTokenCookie(w, r, cluster, c.BaseURL)
 	} else {
-		auth.SetTokenCookie(w, r, cluster, req.Token)
+		auth.SetTokenCookie(w, r, cluster, req.Token, c.BaseURL)
 	}
 
 	w.WriteHeader(http.StatusOK)

backend/pkg/auth/cookies.go

@@ -29,6 +29,16 @@ const (
 	chunkSize = 3800
 )
 
+// GetCookiePath returns the full cookie path including baseURL.
+func GetCookiePath(baseURL, cluster string) string {
+	if baseURL != "" {
+		baseURL = "/" + strings.Trim(baseURL, "/")
+		return baseURL + "/clusters/" + cluster
+	}
+
+	return "/clusters/" + cluster
+}
+
 // SanitizeClusterName ensures cluster names are safe for use in cookie names.
 func SanitizeClusterName(cluster string) string {
 	// Only allow alphanumeric characters, hyphens, and underscores
@@ -65,7 +75,7 @@ func IsSecureContext(r *http.Request) bool {
 }
 
 // SetTokenCookie sets an authentication cookie for a specific cluster.
-func SetTokenCookie(w http.ResponseWriter, r *http.Request, cluster, token string) {
+func SetTokenCookie(w http.ResponseWriter, r *http.Request, cluster, token, baseURL string) {
 	// Validate inputs
 	if cluster == "" || token == "" {
 		return
@@ -77,7 +87,7 @@ func SetTokenCookie(w http.ResponseWriter, r *http.Request, cluster, token strin
 	}
 
 	// Clear any existing cookies
-	ClearTokenCookie(w, r, cluster)
+	ClearTokenCookie(w, r, cluster, baseURL)
 
 	secure := IsSecureContext(r)
 
@@ -90,7 +100,7 @@ func SetTokenCookie(w http.ResponseWriter, r *http.Request, cluster, token strin
 			HttpOnly: true,
 			Secure:   secure,
 			SameSite: http.SameSiteStrictMode,
-			Path:     "/clusters/" + cluster,
+			Path:     GetCookiePath(baseURL, cluster),
 			MaxAge:   86400, // 24 hours
 		}
 
@@ -125,7 +135,7 @@ func GetTokenFromCookie(r *http.Request, cluster string) (string, error) {
 }
 
 // ClearTokenCookie clears an authentication cookie for a specific cluster.
-func ClearTokenCookie(w http.ResponseWriter, r *http.Request, cluster string) {
+func ClearTokenCookie(w http.ResponseWriter, r *http.Request, cluster, baseURL string) {
 	sanitizedCluster := SanitizeClusterName(cluster)
 	if sanitizedCluster == "" {
 		return
@@ -149,7 +159,7 @@ func ClearTokenCookie(w http.ResponseWriter, r *http.Request, cluster string) {
 			HttpOnly: true,
 			Secure:   secure,
 			SameSite: http.SameSiteStrictMode,
-			Path:     "/clusters/" + cluster,
+			Path:     GetCookiePath(baseURL, cluster),
 			MaxAge:   -1,
 		}
 		http.SetCookie(w, cookie)

backend/pkg/auth/cookies_test.go

@@ -117,13 +117,56 @@ func TestIsSecureContext(t *testing.T) {
 	}
 }
 
+func TestGetCookiePath(t *testing.T) {
+	tests := []struct {
+		name     string
+		baseURL  string
+		cluster  string
+		wantPath string
+	}{
+		{
+			name:     "empty base URL",
+			baseURL:  "",
+			cluster:  "test-cluster",
+			wantPath: "/clusters/test-cluster",
+		},
+		{
+			name:     "base URL without leading slash",
+			baseURL:  "headlamp",
+			cluster:  "test-cluster",
+			wantPath: "/headlamp/clusters/test-cluster",
+		},
+		{
+			name:     "base URL with leading slash",
+			baseURL:  "/headlamp",
+			cluster:  "test-cluster",
+			wantPath: "/headlamp/clusters/test-cluster",
+		},
+		{
+			name:     "base URL with trailing slash",
+			baseURL:  "/headlamp/",
+			cluster:  "test-cluster",
+			wantPath: "/headlamp/clusters/test-cluster",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := auth.GetCookiePath(tt.baseURL, tt.cluster)
+			if got != tt.wantPath {
+				t.Errorf("getCookiePath() = %q, want %q", got, tt.wantPath)
+			}
+		})
+	}
+}
+
 func TestSetAndGetAuthCookie(t *testing.T) {
 	req := httptest.NewRequest("GET", localhost, nil)
 	req.Host = localhost
 	w := httptest.NewRecorder()
 
 	// Test setting a cookie
-	auth.SetTokenCookie(w, req, "test-cluster", "test-token")
+	auth.SetTokenCookie(w, req, "test-cluster", "test-token", "")
 
 	// Check if cookie was set
 	cookies := w.Result().Cookies()
@@ -170,7 +213,7 @@ func TestGetAuthCookieChunked(t *testing.T) {
 	longToken := strings.Repeat("a", 5000)
 
 	// Test setting a cookie
-	auth.SetTokenCookie(w, req, "test-cluster", longToken)
+	auth.SetTokenCookie(w, req, "test-cluster", longToken, "")
 
 	// Check if cookie was set
 	cookies := w.Result().Cookies()
@@ -209,7 +252,7 @@ func TestClearAuthCookie(t *testing.T) {
 	})
 
 	// Clear a cookie
-	auth.ClearTokenCookie(w, req, "test-cluster")
+	auth.ClearTokenCookie(w, req, "test-cluster", "")
 
 	// Check if cookie was set
 	cookies := w.Result().Cookies()
@@ -218,7 +261,7 @@ func TestClearAuthCookie(t *testing.T) {
 	}
 
 	// Test clearing the cookie
-	auth.ClearTokenCookie(w, req, "test-cluster")
+	auth.ClearTokenCookie(w, req, "test-cluster", "")
 
 	// Check if cookie was cleared
 	clearedCookies := w.Result().Cookies()