Don't enforce secure cookie flag if external URL begins with http://

Closes: #3
2021-07-06 18:34:36 +02:00 · 2021-07-06 18:34:36 +02:00 · eb60b3fbde
parent 69b7ff179b
commit eb60b3fbde
1 changed files with 15 additions and 6 deletions
--- a/api/user_auth.go
+++ b/api/user_auth.go
@ -36,6 +36,7 @@ import (
 	"fmt"
 	"log"
 	"net/http"
+	"strings"
 	"time"

 	"github.com/gin-gonic/gin"
@ -138,18 +139,26 @@ func completeAuth(opts *config.Options, c *gin.Context, email string, service st
 	c.SetCookie(
 		COOKIE_NAME, // name
 		base64.StdEncoding.EncodeToString(session.Id), // value
-		30*24*3600,          // maxAge
-		opts.BaseURL+"/",    // path
-		"",                  // domain
-		opts.DevProxy == "", // secure
-		true,                // httpOnly
+		30*24*3600,       // maxAge
+		opts.BaseURL+"/", // path
+		"",               // domain
+		opts.DevProxy == "" && !strings.HasPrefix(opts.ExternalURL, "http://"), // secure
+		true, // httpOnly
 	)

 	c.JSON(http.StatusOK, currentUser(usr))
 }

 func logout(opts *config.Options, c *gin.Context) {
-	c.SetCookie(COOKIE_NAME, "", -1, opts.BaseURL+"/", "", opts.DevProxy == "", true)
+	c.SetCookie(
+		COOKIE_NAME,
+		"",
+		-1,
+		opts.BaseURL+"/",
+		"",
+		opts.DevProxy == "" && !strings.HasPrefix(opts.ExternalURL, "http://"),
+		true,
+	)
 	c.JSON(http.StatusOK, true)
 }