From eb60b3fbde1e5c00009fc45ee06d60c249a281ba Mon Sep 17 00:00:00 2001
From: Pierre-Olivier Mercier <nemunaire@nemunai.re>
Date: Tue, 6 Jul 2021 18:34:36 +0200
Subject: [PATCH] Don't enforce secure cookie flag if external URL begins with
 http://

Closes: #3
---
 api/user_auth.go | 21 +++++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

diff --git a/api/user_auth.go b/api/user_auth.go
index 404161d..9142d1a 100644
--- a/api/user_auth.go
+++ b/api/user_auth.go
@@ -36,6 +36,7 @@ import (
 	"fmt"
 	"log"
 	"net/http"
+	"strings"
 	"time"
 
 	"github.com/gin-gonic/gin"
@@ -138,18 +139,26 @@ func completeAuth(opts *config.Options, c *gin.Context, email string, service st
 	c.SetCookie(
 		COOKIE_NAME, // name
 		base64.StdEncoding.EncodeToString(session.Id), // value
-		30*24*3600,          // maxAge
-		opts.BaseURL+"/",    // path
-		"",                  // domain
-		opts.DevProxy == "", // secure
-		true,                // httpOnly
+		30*24*3600,       // maxAge
+		opts.BaseURL+"/", // path
+		"",               // domain
+		opts.DevProxy == "" && !strings.HasPrefix(opts.ExternalURL, "http://"), // secure
+		true, // httpOnly
 	)
 
 	c.JSON(http.StatusOK, currentUser(usr))
 }
 
 func logout(opts *config.Options, c *gin.Context) {
-	c.SetCookie(COOKIE_NAME, "", -1, opts.BaseURL+"/", "", opts.DevProxy == "", true)
+	c.SetCookie(
+		COOKIE_NAME,
+		"",
+		-1,
+		opts.BaseURL+"/",
+		"",
+		opts.DevProxy == "" && !strings.HasPrefix(opts.ExternalURL, "http://"),
+		true,
+	)
 	c.JSON(http.StatusOK, true)
 }