[add] configurable cookie attribute settings

2023-10-24 18:41:25 -04:00 · 2023-10-24 18:41:25 -04:00 · 3577dd89a0
parent 912b054502
commit 3577dd89a0
3 changed files with 14 additions and 6 deletions
--- a/README.md
+++ b/README.md
@ -86,6 +86,8 @@ The service is now accessible at: `http://localhost:8585`. I recommend registeri
 | LISTEN_PORT          | 8585          | Port the server listens at                                           |
 | REGISTRATION_ENABLED | false         | Whether to allow registration (applies to both WebApp & KOSync API)  |
 | COOKIE_SESSION_KEY   | <EMPTY>       | Optional secret cookie session key (auto generated if not provided)  |
+| COOKIE_SECURE        | true          | Set Cookie `Secure` attribute (i.e. only works over HTTPS)           |
+| COOKIE_HTTP_ONLY     | true          | Set Cookie `HttpOnly` attribute (i.e. inacessible via JavaScript)    |

 ## Security

--- a/api/api.go
+++ b/api/api.go
@ -52,8 +52,8 @@ func NewApi(db *database.DBManager, c *config.Config) *API {
 	store := cookie.NewStore(newToken)
 	store.Options(sessions.Options{
 		MaxAge:   60 * 60 * 24 * 7,
-		Secure:   true,
-		HttpOnly: true,
+		Secure:   c.CookieSecure,
+		HttpOnly: c.CookieHTTPOnly,
 		SameSite: http.SameSiteStrictMode,
 	})
 	api.Router.Use(sessions.Sessions("token", store))
--- a/config/config.go
+++ b/config/config.go
@ -11,8 +11,8 @@ type Config struct {
 	ListenPort string

 	// DB Configuration
-	DBType     string
-	DBName     string
+	DBType string
+	DBName string

 	// Data Paths
 	ConfigPath string
@ -20,8 +20,12 @@ type Config struct {

 	// Miscellaneous Settings
 	RegistrationEnabled bool
-	CookieSessionKey    string
 	SearchEnabled       bool
+
+	// Cookie Settings
+	CookieSessionKey string
+	CookieSecure     bool
+	CookieHTTPOnly   bool
 }

 func Load() *Config {
@ -32,9 +36,11 @@ func Load() *Config {
 		ConfigPath:          getEnv("CONFIG_PATH", "/config"),
 		DataPath:            getEnv("DATA_PATH", "/data"),
 		ListenPort:          getEnv("LISTEN_PORT", "8585"),
-		CookieSessionKey:    trimLowerString(getEnv("COOKIE_SESSION_KEY", "")),
 		RegistrationEnabled: trimLowerString(getEnv("REGISTRATION_ENABLED", "false")) == "true",
 		SearchEnabled:       trimLowerString(getEnv("SEARCH_ENABLED", "false")) == "true",
+		CookieSessionKey:    trimLowerString(getEnv("COOKIE_SESSION_KEY", "")),
+		CookieSecure:        trimLowerString(getEnv("COOKIE_SECURE", "true")) == "true",
+		CookieHTTPOnly:      trimLowerString(getEnv("COOKIE_HTTP_ONLY", "true")) == "true",
 	}
 }