Auth flow fixes (#82)

* preliminary fixes to broken auth flow * fix some auth/cookie weirdness * fmt
author: Tobi Smethurst <31960611+tsmethurst@users.noreply.github.com> 2021-07-08 11:32:31 +0200
committer: GitHub <noreply@github.com> 2021-07-08 11:32:31 +0200
commit: 5460271bb51290c2b0acf2f00001096e2b12c3e2 (patch)
tree: 6c811b48205502737379a26b9dc15383cf4d4b25 /internal/router/session.go
parent: clean up some weirdness in the router (#80) (diff)
download: gotosocial-5460271bb51290c2b0acf2f00001096e2b12c3e2.tar.xz
1 files changed, 9 insertions, 0 deletions
diff --git a/internal/router/session.go b/internal/router/session.go
index a1ac09d28..2d00f7677 100644
--- a/internal/router/session.go
+++ b/internal/router/session.go
@@ -22,6 +22,7 @@ import (
 	"crypto/rand"
 	"errors"
 	"fmt"
+	"net/http"
 
 	"github.com/gin-contrib/sessions"
 	"github.com/gin-contrib/sessions/memstore"
@@ -63,6 +64,14 @@ func useSession(cfg *config.Config, dbService db.DB, engine *gin.Engine) error {
 	}
 
 	store := memstore.NewStore(rs.Auth, rs.Crypt)
+	store.Options(sessions.Options{
+		Path:     "/",
+		Domain:   cfg.Host,
+		MaxAge:   120,                     // 2 minutes
+		Secure:   true,                    // only use cookie over https
+		HttpOnly: true,                    // exclude javascript from inspecting cookie
+		SameSite: http.SameSiteStrictMode, // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-same-site-00#section-4.1.1
+	})
 	sessionName := fmt.Sprintf("gotosocial-%s", cfg.Host)
 	engine.Use(sessions.Sessions(sessionName, store))
 	return nil
author	Tobi Smethurst <31960611+tsmethurst@users.noreply.github.com>	2021-07-08 11:32:31 +0200
committer	GitHub <noreply@github.com>	2021-07-08 11:32:31 +0200
commit	5460271bb51290c2b0acf2f00001096e2b12c3e2 (patch)
tree	6c811b48205502737379a26b9dc15383cf4d4b25 /internal/router/session.go
parent	clean up some weirdness in the router (#80) (diff)
download	gotosocial-5460271bb51290c2b0acf2f00001096e2b12c3e2.tar.xz