[feature] Start adding advanced configuration options, starting with `samesite` (#628)

* fix incorrect port being used for db

* start adding advanced config flags

* use samesite lax by default

6 files changed, 56 insertions, 7 deletions

diff --git a/internal/config/config.go b/internal/config/config.go
index 431fbbe4d..573f2b3a2 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -114,6 +114,8 @@ type Configuration struct {
 	AdminAccountEmail    string `name:"email" usage:"the email address of this account"`
 	AdminAccountPassword string `name:"password" usage:"the password to set for this account"`
 	AdminTransPath       string `name:"path" usage:"the path of the file to import from/export to"`
+
+	AdvancedCookiesSamesite string `name:"advanced-cookies-samesite" usage:"'strict' or 'lax', see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite"`
 }
 
 // MarshalMap will marshal current Configuration into a map structure (useful for JSON).
diff --git a/internal/config/defaults.go b/internal/config/defaults.go
index 75af21222..f9f0bdba9 100644
--- a/internal/config/defaults.go
+++ b/internal/config/defaults.go
@@ -87,4 +87,6 @@ var Defaults = Configuration{
 	SyslogEnabled:  false,
 	SyslogProtocol: "udp",
 	SyslogAddress:  "localhost:514",
+
+	AdvancedCookiesSamesite: "lax",
 }
diff --git a/internal/config/flags.go b/internal/config/flags.go
index 0be372551..6f946f1d6 100644
--- a/internal/config/flags.go
+++ b/internal/config/flags.go
@@ -109,6 +109,9 @@ func AddServerFlags(cmd *cobra.Command) {
 		cmd.Flags().Bool(SyslogEnabledFlag(), cfg.SyslogEnabled, fieldtag("SyslogEnabled", "usage"))
 		cmd.Flags().String(SyslogProtocolFlag(), cfg.SyslogProtocol, fieldtag("SyslogProtocol", "usage"))
 		cmd.Flags().String(SyslogAddressFlag(), cfg.SyslogAddress, fieldtag("SyslogAddress", "usage"))
+
+		// Advanced flags
+		cmd.Flags().String(AdvancedCookiesSamesiteFlag(), cfg.AdvancedCookiesSamesite, fieldtag("AdvancedCookiesSamesite", "usage"))
 	})
 }
 
diff --git a/internal/config/helpers.gen.go b/internal/config/helpers.gen.go
index a90199495..a48828059 100644
--- a/internal/config/helpers.gen.go
+++ b/internal/config/helpers.gen.go
@@ -1492,3 +1492,28 @@ func GetAdminTransPath() string { return global.GetAdminTransPath() }
 
 // SetAdminTransPath safely sets the value for global configuration 'AdminTransPath' field
 func SetAdminTransPath(v string) { global.SetAdminTransPath(v) }
+
+// GetAdvancedCookiesSamesite safely fetches the Configuration value for state's 'AdvancedCookiesSamesite' field
+func (st *ConfigState) GetAdvancedCookiesSamesite() (v string) {
+	st.mutex.Lock()
+	v = st.config.AdvancedCookiesSamesite
+	st.mutex.Unlock()
+	return
+}
+
+// SetAdvancedCookiesSamesite safely sets the Configuration value for state's 'AdvancedCookiesSamesite' field
+func (st *ConfigState) SetAdvancedCookiesSamesite(v string) {
+	st.mutex.Lock()
+	defer st.mutex.Unlock()
+	st.config.AdvancedCookiesSamesite = v
+	st.reloadToViper()
+}
+
+// AdvancedCookiesSamesiteFlag returns the flag name for the 'AdvancedCookiesSamesite' field
+func AdvancedCookiesSamesiteFlag() string { return "advanced-cookies-samesite" }
+
+// GetAdvancedCookiesSamesite safely fetches the value for global configuration 'AdvancedCookiesSamesite' field
+func GetAdvancedCookiesSamesite() string { return global.GetAdvancedCookiesSamesite() }
+
+// SetAdvancedCookiesSamesite safely sets the value for global configuration 'AdvancedCookiesSamesite' field
+func SetAdvancedCookiesSamesite(v string) { global.SetAdvancedCookiesSamesite(v) }
diff --git a/internal/db/bundb/bundb.go b/internal/db/bundb/bundb.go
index fef62a55f..6328ca34f 100644
--- a/internal/db/bundb/bundb.go
+++ b/internal/db/bundb/bundb.go
@@ -348,7 +348,7 @@ func deriveBunDBPGOptions() (*pgx.ConnConfig, error) {
 	if address != "" {
 		cfg.Host = address
 	}
-	if port := config.GetPort(); port > 0 {
+	if port := config.GetDbPort(); port > 0 {
 		cfg.Port = uint16(port)
 	}
 	if u := config.GetDbUser(); u != "" {
diff --git a/internal/router/session.go b/internal/router/session.go
index f94b0a22a..b49542428 100644
--- a/internal/router/session.go
+++ b/internal/router/session.go
@@ -24,10 +24,12 @@ import (
 	"fmt"
 	"net/http"
 	"net/url"
+	"strings"
 
 	"github.com/gin-contrib/sessions"
 	"github.com/gin-contrib/sessions/memstore"
 	"github.com/gin-gonic/gin"
+	"github.com/sirupsen/logrus"
 	"github.com/superseriousbusiness/gotosocial/internal/config"
 	"github.com/superseriousbusiness/gotosocial/internal/db"
 	"golang.org/x/net/idna"
@@ -35,13 +37,28 @@ import (
 
 // SessionOptions returns the standard set of options to use for each session.
 func SessionOptions() sessions.Options {
+	var samesite http.SameSite
+	switch strings.TrimSpace(strings.ToLower(config.GetAdvancedCookiesSamesite())) {
+	case "lax":
+		samesite = http.SameSiteLaxMode
+	case "strict":
+		samesite = http.SameSiteStrictMode
+	default:
+		logrus.Warnf("%s set to %s which is not recognized, defaulting to 'lax'", config.AdvancedCookiesSamesiteFlag(), config.GetAdvancedCookiesSamesite())
+		samesite = http.SameSiteLaxMode
+	}
+
 	return sessions.Options{
-		Path:     "/",
-		Domain:   config.GetHost(),
-		MaxAge:   120,                             // 2 minutes
-		Secure:   config.GetProtocol() == "https", // only use cookie over https
-		HttpOnly: true,                            // exclude javascript from inspecting cookie
-		SameSite: http.SameSiteStrictMode,         // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-same-site-00#section-4.1.1
+		Path:   "/",
+		Domain: config.GetHost(),
+		// 2 minutes
+		MaxAge: 120,
+		// only set secure over https
+		Secure: config.GetProtocol() == "https",
+		// forbid javascript from inspecting cookie
+		HttpOnly: true,
+		// https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-same-site-00#section-4.1.1
+		SameSite: samesite,
 	}
 }