3 files changed, 95 insertions, 2 deletions
diff --git a/internal/api/auth.go b/internal/api/auth.go
index 2504acb30..fb92f3ef1 100644
--- a/internal/api/auth.go
+++ b/internal/api/auth.go
@@ -19,6 +19,7 @@ package api
 
 import (
 	"code.superseriousbusiness.org/gotosocial/internal/api/auth"
+	apiutil "code.superseriousbusiness.org/gotosocial/internal/api/util"
 	"code.superseriousbusiness.org/gotosocial/internal/gtsmodel"
 	"code.superseriousbusiness.org/gotosocial/internal/middleware"
 	"code.superseriousbusiness.org/gotosocial/internal/oidc"
@@ -31,6 +32,7 @@ import (
 type Auth struct {
 	routerSession *gtsmodel.RouterSession
 	sessionName   string
+	cookiePolicy  apiutil.CookiePolicy
 
 	auth *auth.Module
 }
@@ -47,7 +49,12 @@ func (a *Auth) Route(r *router.Router, m ...gin.HandlerFunc) {
 			Directives: []string{"private", "max-age=120"},
 			Vary:       []string{"Accept", "Accept-Encoding"},
 		})
-		sessionMiddleware = middleware.Session(a.sessionName, a.routerSession.Auth, a.routerSession.Crypt)
+		sessionMiddleware = middleware.Session(
+			a.sessionName,
+			a.routerSession.Auth,
+			a.routerSession.Crypt,
+			a.cookiePolicy,
+		)
 	)
 	authGroup.Use(m...)
 	oauthGroup.Use(m...)
@@ -64,10 +71,12 @@ func NewAuth(
 	idp oidc.IDP,
 	routerSession *gtsmodel.RouterSession,
 	sessionName string,
+	cookiePolicy apiutil.CookiePolicy,
 ) *Auth {
 	return &Auth{
 		routerSession: routerSession,
 		sessionName:   sessionName,
+		cookiePolicy:  cookiePolicy,
 		auth:          auth.New(state, p, idp),
 	}
 }
diff --git a/internal/api/auth/auth_test.go b/internal/api/auth/auth_test.go
index 8082f4aed..18261eea0 100644
--- a/internal/api/auth/auth_test.go
+++ b/internal/api/auth/auth_test.go
@@ -24,6 +24,7 @@ import (
 
 	"code.superseriousbusiness.org/gotosocial/internal/admin"
 	"code.superseriousbusiness.org/gotosocial/internal/api/auth"
+	apiutil "code.superseriousbusiness.org/gotosocial/internal/api/util"
 	"code.superseriousbusiness.org/gotosocial/internal/config"
 	"code.superseriousbusiness.org/gotosocial/internal/db"
 	"code.superseriousbusiness.org/gotosocial/internal/email"
@@ -142,7 +143,7 @@ func (suite *AuthStandardTestSuite) newContext(
 
 	// Trigger the session middleware on the context.
 	store := memstore.NewStore(make([]byte, 32), make([]byte, 32))
-	store.Options(middleware.SessionOptions())
+	store.Options(middleware.SessionOptions(apiutil.NewCookiePolicy()))
 	sessionMiddleware := sessions.Sessions("gotosocial-localhost", store)
 	sessionMiddleware(ctx)
 
diff --git a/internal/api/util/cookie.go b/internal/api/util/cookie.go
new file mode 100644
index 000000000..29160f0af
--- /dev/null
+++ b/internal/api/util/cookie.go
@@ -0,0 +1,83 @@
+// GoToSocial
+// Copyright (C) GoToSocial Authors admin@gotosocial.org
+// SPDX-License-Identifier: AGPL-3.0-or-later
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package util
+
+import (
+	"net/http"
+	"net/url"
+
+	"code.superseriousbusiness.org/gotosocial/internal/config"
+	"code.superseriousbusiness.org/gotosocial/internal/log"
+	"github.com/gin-gonic/gin"
+)
+
+// CookiePolicy encompasses a number
+// of security related cookie directives
+// of which we want to be set consistently
+// on all cookies administered by us.
+type CookiePolicy struct {
+	Domain   string
+	SameSite http.SameSite
+	HTTPOnly bool
+	Secure   bool
+}
+
+// NewCookiePolicy will return a new CookiePolicy{}
+// object setup according to current instance config.
+func NewCookiePolicy() CookiePolicy {
+	var sameSite http.SameSite
+	switch s := config.GetAdvancedCookiesSamesite(); s {
+	case "strict":
+		sameSite = http.SameSiteStrictMode
+	case "lax":
+		sameSite = http.SameSiteLaxMode
+	default:
+		log.Warnf(nil, "%s set to %s which is not recognized, defaulting to 'lax'", config.AdvancedCookiesSamesiteFlag(), s)
+		sameSite = http.SameSiteLaxMode
+	}
+	return CookiePolicy{
+		Domain: config.GetHost(),
+
+		// https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-same-site-00#section-4.1.1
+		SameSite: sameSite,
+
+		// forbid javascript from
+		// inspecting cookie
+		HTTPOnly: true,
+
+		// only set secure cookie directive over https
+		Secure: (config.GetProtocol() == "https"),
+	}
+}
+
+// SetCookie will set the given cookie details according to currently configured CookiePolicy{}.
+func (p *CookiePolicy) SetCookie(c *gin.Context, name, value string, maxAge int, path string) {
+	if path == "" {
+		path = "/"
+	}
+	http.SetCookie(c.Writer, &http.Cookie{
+		Name:     name,
+		Value:    url.QueryEscape(value),
+		MaxAge:   maxAge,
+		Path:     path,
+		Domain:   p.Domain,
+		SameSite: p.SameSite,
+		Secure:   p.Secure,
+		HttpOnly: p.HTTPOnly,
+	})
+}