fix(dashboard): conditionally restore __Host- cookie prefix (SEC-03)
Restore the __Host- browser guarantees for the default secure deployment without breaking plaintext/dev: - DashboardServiceCollectionExtensions PostConfigure now resolves the cookie name as: explicit MxGateway:Dashboard:CookieName override wins; else __Host-MxGatewayDashboard when SecurePolicy==Always (RequireHttpsCookie true); else the plain MxGatewayDashboard default. Guard: never apply the __Host- prefix without Secure (browsers silently drop it). - DashboardAuthenticationDefaults: add SecureCookieName const; keep the plain CookieName as the non-secure fallback. - Docs corrected to the actual conditional contract (five stale claims): gateway.md, GatewayProcessDesign.md, ImplementationPlanGateway.md, GatewayDashboardDesign.md, CLAUDE.md; GatewayConfiguration.md phrasing tightened. - Test: DashboardCookieOptionsTests asserts the name flips with RequireHttpsCookie and that an explicit override wins. Server build clean (0 warnings); Dashboard tests 149/149. Claude-Session: https://claude.ai/code/session_01DMXXvNuPekkkrTEyPNxEkW
This commit is contained in:
+6
-1
@@ -219,7 +219,12 @@ Dashboard authentication is LDAP-backed (distinct from the API-key model on
|
||||
the gRPC API). `/login` accepts username and password in a form body, binds
|
||||
against `MxGateway:Ldap`, maps the user's LDAP groups to `Admin` or `Viewer`
|
||||
via `MxGateway:Dashboard:GroupToRole`, and issues an HTTP-only secure
|
||||
`__Host-MxGatewayDashboard` cookie. `/logout` clears it. Login and logout
|
||||
cookie. The cookie is named `__Host-MxGatewayDashboard` when
|
||||
`MxGateway:Dashboard:RequireHttpsCookie` is true (the default, forcing Secure)
|
||||
and no `MxGateway:Dashboard:CookieName` override is set; otherwise it is named
|
||||
`MxGatewayDashboard` (the `__Host-` prefix is only valid on a Secure cookie, so
|
||||
it is dropped for HTTP-dev or custom-name deployments). `/logout` clears it.
|
||||
Login and logout
|
||||
posts validate antiforgery tokens. SignalR hub connections accept either the
|
||||
cookie or a 30-minute data-protected bearer minted at `/hubs/token`.
|
||||
`MxGateway:Dashboard:AllowAnonymousLocalhost` permits loopback to bypass the
|
||||
|
||||
Reference in New Issue
Block a user