[chore] tweak NoLLaMas proof-of-work algorithm (#4090)

# Description

- tweaks the NoLLaMas proof-of-work algorithm to further granularity on time spent computing solutions
- standardizes GoToSocial cookie security directive setting in a CookiePolicy{} type

## Checklist

- [x] I/we have read the [GoToSocial contribution guidelines](https://codeberg.org/superseriousbusiness/gotosocial/src/branch/main/CONTRIBUTING.md).
- [x] I/we have discussed the proposed changes already, either in an issue on the repository, or in the Matrix chat.
- [x] I/we have not leveraged AI to create the proposed changes.
- [x] I/we have performed a self-review of added code.
- [x] I/we have written code that is legible and maintainable by others.
- [x] I/we have commented the added code, particularly in hard-to-understand areas.
- [ ] I/we have made any necessary changes to documentation.
- [ ] I/we have added tests that cover new code.
- [ ] I/we have run tests and they pass locally with the changes.
- [x] I/we have run `go fmt ./...` and `golangci-lint run`.

Co-authored-by: tobi <tobi.smethurst@protonmail.com>
Reviewed-on: https://codeberg.org/superseriousbusiness/gotosocial/pulls/4090
Co-authored-by: kim <grufwub@gmail.com>
Co-committed-by: kim <grufwub@gmail.com>

1 files changed, 11 insertions, 28 deletions

diff --git a/internal/middleware/session.go b/internal/middleware/session.go
index 50433002a..83b38ef35 100644
--- a/internal/middleware/session.go
+++ b/internal/middleware/session.go
@@ -19,12 +19,10 @@ package middleware
 
 import (
 	"fmt"
-	"net/http"
 	"net/url"
-	"strings"
 
+	apiutil "code.superseriousbusiness.org/gotosocial/internal/api/util"
 	"code.superseriousbusiness.org/gotosocial/internal/config"
-	"code.superseriousbusiness.org/gotosocial/internal/log"
 	"github.com/gin-contrib/sessions"
 	"github.com/gin-contrib/sessions/memstore"
 	"github.com/gin-gonic/gin"
@@ -32,29 +30,15 @@ import (
 )
 
 // SessionOptions returns the standard set of options to use for each session.
-func SessionOptions() sessions.Options {
-	var samesite http.SameSite
-	switch strings.TrimSpace(strings.ToLower(config.GetAdvancedCookiesSamesite())) {
-	case "lax":
-		samesite = http.SameSiteLaxMode
-	case "strict":
-		samesite = http.SameSiteStrictMode
-	default:
-		log.Warnf(nil, "%s set to %s which is not recognized, defaulting to 'lax'", config.AdvancedCookiesSamesiteFlag(), config.GetAdvancedCookiesSamesite())
-		samesite = http.SameSiteLaxMode
-	}
-
+func SessionOptions(cookiePolicy apiutil.CookiePolicy) sessions.Options {
 	return sessions.Options{
 		Path:   "/",
-		Domain: config.GetHost(),
+		Domain: cookiePolicy.Domain,
 		// 2 minutes
-		MaxAge: 120,
-		// only set secure over https
-		Secure: config.GetProtocol() == "https",
-		// forbid javascript from inspecting cookie
-		HttpOnly: true,
-		// https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-same-site-00#section-4.1.1
-		SameSite: samesite,
+		MaxAge:   120,
+		Secure:   cookiePolicy.Secure,
+		HttpOnly: cookiePolicy.HTTPOnly,
+		SameSite: cookiePolicy.SameSite,
 	}
 }
 
@@ -84,11 +68,10 @@ func SessionName() (string, error) {
 	return fmt.Sprintf("gotosocial-%s", punyHostname), nil
 }
 
-// Session returns a new gin middleware that implements session cookies using the given
-// sessionName, authentication key, and encryption key. Session name can be derived from the
-// SessionName utility function in this package.
-func Session(sessionName string, auth []byte, crypt []byte) gin.HandlerFunc {
+// Session returns a new gin middleware that implements session cookies using the given sessionName, authentication
+// key, and encryption key. Session name can be derived from the SessionName utility function in this package.
+func Session(sessionName string, auth []byte, crypt []byte, cookiePolicy apiutil.CookiePolicy) gin.HandlerFunc {
 	store := memstore.NewStore(auth, crypt)
-	store.Options(SessionOptions())
+	store.Options(SessionOptions(cookiePolicy))
 	return sessions.Sessions(sessionName, store)
 }