diff options
| author |  tobi <31960611+tsmethurst@users.noreply.github.com> | 2022-06-03 15:40:38 +0200 |
|---|---|---|
| committer |  GitHub <noreply@github.com> | 2022-06-03 15:40:38 +0200 |
| commit | 327d3f001f1cc219c4a718edf23b976c29c19487 (patch) | |
| tree | 7fbc505601461f22eeeea6e966b9df5a43b4cafc /internal/router | |
| parent | [chore] Adds Issue templates to Github (#626) (diff) | |
| download | gotosocial-327d3f001f1cc219c4a718edf23b976c29c19487.tar.xz | |
[feature] Start adding advanced configuration options, starting with `samesite` (#628)
* fix incorrect port being used for db
* start adding advanced config flags
* use samesite lax by default
Diffstat (limited to 'internal/router')
| -rw-r--r-- | internal/router/session.go | 29 |
1 files changed, 23 insertions, 6 deletions
diff --git a/internal/router/session.go b/internal/router/session.go index f94b0a22a..b49542428 100644 --- a/internal/router/session.go +++ b/internal/router/session.go @@ -24,10 +24,12 @@ import ( "fmt" "net/http" "net/url" + "strings" "github.com/gin-contrib/sessions" "github.com/gin-contrib/sessions/memstore" "github.com/gin-gonic/gin" + "github.com/sirupsen/logrus" "github.com/superseriousbusiness/gotosocial/internal/config" "github.com/superseriousbusiness/gotosocial/internal/db" "golang.org/x/net/idna" @@ -35,13 +37,28 @@ import ( // SessionOptions returns the standard set of options to use for each session. func SessionOptions() sessions.Options { + var samesite http.SameSite + switch strings.TrimSpace(strings.ToLower(config.GetAdvancedCookiesSamesite())) { + case "lax": + samesite = http.SameSiteLaxMode + case "strict": + samesite = http.SameSiteStrictMode + default: + logrus.Warnf("%s set to %s which is not recognized, defaulting to 'lax'", config.AdvancedCookiesSamesiteFlag(), config.GetAdvancedCookiesSamesite()) + samesite = http.SameSiteLaxMode + } + return sessions.Options{ - Path: "/", - Domain: config.GetHost(), - MaxAge: 120, // 2 minutes - Secure: config.GetProtocol() == "https", // only use cookie over https - HttpOnly: true, // exclude javascript from inspecting cookie - SameSite: http.SameSiteStrictMode, // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-same-site-00#section-4.1.1 + Path: "/", + Domain: config.GetHost(), + // 2 minutes + MaxAge: 120, + // only set secure over https + Secure: config.GetProtocol() == "https", + // forbid javascript from inspecting cookie + HttpOnly: true, + // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-same-site-00#section-4.1.1 + SameSite: samesite, } } |