Auth flow fixes (#82)

* preliminary fixes to broken auth flow * fix some auth/cookie weirdness * fmt
2025-06-05 21:59:39 +02:00 · 2021-07-08 11:32:31 +02:00
parent c71e55ecc4
commit 5460271bb5
5 changed files with 79 additions and 49 deletions
--- a/internal/router/session.go
+++ b/internal/router/session.go
@@ -22,6 +22,7 @@ import (
 	"crypto/rand"
 	"errors"
 	"fmt"
+	"net/http"

 	"github.com/gin-contrib/sessions"
 	"github.com/gin-contrib/sessions/memstore"
@@ -63,6 +64,14 @@ func useSession(cfg *config.Config, dbService db.DB, engine *gin.Engine) error {
 	}

 	store := memstore.NewStore(rs.Auth, rs.Crypt)
+	store.Options(sessions.Options{
+		Path:     "/",
+		Domain:   cfg.Host,
+		MaxAge:   120,                     // 2 minutes
+		Secure:   true,                    // only use cookie over https
+		HttpOnly: true,                    // exclude javascript from inspecting cookie
+		SameSite: http.SameSiteStrictMode, // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-same-site-00#section-4.1.1
+	})
 	sessionName := fmt.Sprintf("gotosocial-%s", cfg.Host)
 	engine.Use(sessions.Sessions(sessionName, store))
 	return nil