[chore] tweak NoLLaMas proof-of-work algorithm (#4090)

# Description

- tweaks the NoLLaMas proof-of-work algorithm to further granularity on time spent computing solutions
- standardizes GoToSocial cookie security directive setting in a CookiePolicy{} type

## Checklist

- [x] I/we have read the [GoToSocial contribution guidelines](https://codeberg.org/superseriousbusiness/gotosocial/src/branch/main/CONTRIBUTING.md).
- [x] I/we have discussed the proposed changes already, either in an issue on the repository, or in the Matrix chat.
- [x] I/we have not leveraged AI to create the proposed changes.
- [x] I/we have performed a self-review of added code.
- [x] I/we have written code that is legible and maintainable by others.
- [x] I/we have commented the added code, particularly in hard-to-understand areas.
- [ ] I/we have made any necessary changes to documentation.
- [ ] I/we have added tests that cover new code.
- [ ] I/we have run tests and they pass locally with the changes.
- [x] I/we have run `go fmt ./...` and `golangci-lint run`.

Co-authored-by: tobi <tobi.smethurst@protonmail.com>
Reviewed-on: https://codeberg.org/superseriousbusiness/gotosocial/pulls/4090
Co-authored-by: kim <grufwub@gmail.com>
Co-committed-by: kim <grufwub@gmail.com>

internal/api/util/cookie.go

@@ -0,0 +1,83 @@
+// GoToSocial
+// Copyright (C) GoToSocial Authors admin@gotosocial.org
+// SPDX-License-Identifier: AGPL-3.0-or-later
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package util
+
+import (
+	"net/http"
+	"net/url"
+
+	"code.superseriousbusiness.org/gotosocial/internal/config"
+	"code.superseriousbusiness.org/gotosocial/internal/log"
+	"github.com/gin-gonic/gin"
+)
+
+// CookiePolicy encompasses a number
+// of security related cookie directives
+// of which we want to be set consistently
+// on all cookies administered by us.
+type CookiePolicy struct {
+	Domain   string
+	SameSite http.SameSite
+	HTTPOnly bool
+	Secure   bool
+}
+
+// NewCookiePolicy will return a new CookiePolicy{}
+// object setup according to current instance config.
+func NewCookiePolicy() CookiePolicy {
+	var sameSite http.SameSite
+	switch s := config.GetAdvancedCookiesSamesite(); s {
+	case "strict":
+		sameSite = http.SameSiteStrictMode
+	case "lax":
+		sameSite = http.SameSiteLaxMode
+	default:
+		log.Warnf(nil, "%s set to %s which is not recognized, defaulting to 'lax'", config.AdvancedCookiesSamesiteFlag(), s)
+		sameSite = http.SameSiteLaxMode
+	}
+	return CookiePolicy{
+		Domain: config.GetHost(),
+
+		// https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-same-site-00#section-4.1.1
+		SameSite: sameSite,
+
+		// forbid javascript from
+		// inspecting cookie
+		HTTPOnly: true,
+
+		// only set secure cookie directive over https
+		Secure: (config.GetProtocol() == "https"),
+	}
+}
+
+// SetCookie will set the given cookie details according to currently configured CookiePolicy{}.
+func (p *CookiePolicy) SetCookie(c *gin.Context, name, value string, maxAge int, path string) {
+	if path == "" {
+		path = "/"
+	}
+	http.SetCookie(c.Writer, &http.Cookie{
+		Name:     name,
+		Value:    url.QueryEscape(value),
+		MaxAge:   maxAge,
+		Path:     path,
+		Domain:   p.Domain,
+		SameSite: p.SameSite,
+		Secure:   p.Secure,
+		HttpOnly: p.HTTPOnly,
+	})
+}