diff options
Diffstat (limited to 'internal/api/util/cookie.go')
| -rw-r--r-- | internal/api/util/cookie.go | 83 |
1 files changed, 83 insertions, 0 deletions
diff --git a/internal/api/util/cookie.go b/internal/api/util/cookie.go new file mode 100644 index 000000000..29160f0af --- /dev/null +++ b/internal/api/util/cookie.go @@ -0,0 +1,83 @@ +// GoToSocial +// Copyright (C) GoToSocial Authors admin@gotosocial.org +// SPDX-License-Identifier: AGPL-3.0-or-later +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU Affero General Public License for more details. +// +// You should have received a copy of the GNU Affero General Public License +// along with this program. If not, see <http://www.gnu.org/licenses/>. + +package util + +import ( + "net/http" + "net/url" + + "code.superseriousbusiness.org/gotosocial/internal/config" + "code.superseriousbusiness.org/gotosocial/internal/log" + "github.com/gin-gonic/gin" +) + +// CookiePolicy encompasses a number +// of security related cookie directives +// of which we want to be set consistently +// on all cookies administered by us. +type CookiePolicy struct { + Domain string + SameSite http.SameSite + HTTPOnly bool + Secure bool +} + +// NewCookiePolicy will return a new CookiePolicy{} +// object setup according to current instance config. +func NewCookiePolicy() CookiePolicy { + var sameSite http.SameSite + switch s := config.GetAdvancedCookiesSamesite(); s { + case "strict": + sameSite = http.SameSiteStrictMode + case "lax": + sameSite = http.SameSiteLaxMode + default: + log.Warnf(nil, "%s set to %s which is not recognized, defaulting to 'lax'", config.AdvancedCookiesSamesiteFlag(), s) + sameSite = http.SameSiteLaxMode + } + return CookiePolicy{ + Domain: config.GetHost(), + + // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-same-site-00#section-4.1.1 + SameSite: sameSite, + + // forbid javascript from + // inspecting cookie + HTTPOnly: true, + + // only set secure cookie directive over https + Secure: (config.GetProtocol() == "https"), + } +} + +// SetCookie will set the given cookie details according to currently configured CookiePolicy{}. +func (p *CookiePolicy) SetCookie(c *gin.Context, name, value string, maxAge int, path string) { + if path == "" { + path = "/" + } + http.SetCookie(c.Writer, &http.Cookie{ + Name: name, + Value: url.QueryEscape(value), + MaxAge: maxAge, + Path: path, + Domain: p.Domain, + SameSite: p.SameSite, + Secure: p.Secure, + HttpOnly: p.HTTPOnly, + }) +} |