From 31628019fead4489d7a57868bee110f6b6e91d09 Mon Sep 17 00:00:00 2001 From: kim Date: Tue, 29 Apr 2025 13:57:26 +0000 Subject: [chore] tweak NoLLaMas proof-of-work algorithm (#4090) # Description - tweaks the NoLLaMas proof-of-work algorithm to further granularity on time spent computing solutions - standardizes GoToSocial cookie security directive setting in a CookiePolicy{} type ## Checklist - [x] I/we have read the [GoToSocial contribution guidelines](https://codeberg.org/superseriousbusiness/gotosocial/src/branch/main/CONTRIBUTING.md). - [x] I/we have discussed the proposed changes already, either in an issue on the repository, or in the Matrix chat. - [x] I/we have not leveraged AI to create the proposed changes. - [x] I/we have performed a self-review of added code. - [x] I/we have written code that is legible and maintainable by others. - [x] I/we have commented the added code, particularly in hard-to-understand areas. - [ ] I/we have made any necessary changes to documentation. - [ ] I/we have added tests that cover new code. - [ ] I/we have run tests and they pass locally with the changes. - [x] I/we have run `go fmt ./...` and `golangci-lint run`. Co-authored-by: tobi Reviewed-on: https://codeberg.org/superseriousbusiness/gotosocial/pulls/4090 Co-authored-by: kim Co-committed-by: kim --- internal/api/util/cookie.go | 83 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 83 insertions(+) create mode 100644 internal/api/util/cookie.go (limited to 'internal/api/util/cookie.go') diff --git a/internal/api/util/cookie.go b/internal/api/util/cookie.go new file mode 100644 index 000000000..29160f0af --- /dev/null +++ b/internal/api/util/cookie.go @@ -0,0 +1,83 @@ +// GoToSocial +// Copyright (C) GoToSocial Authors admin@gotosocial.org +// SPDX-License-Identifier: AGPL-3.0-or-later +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU Affero General Public License for more details. +// +// You should have received a copy of the GNU Affero General Public License +// along with this program. If not, see . + +package util + +import ( + "net/http" + "net/url" + + "code.superseriousbusiness.org/gotosocial/internal/config" + "code.superseriousbusiness.org/gotosocial/internal/log" + "github.com/gin-gonic/gin" +) + +// CookiePolicy encompasses a number +// of security related cookie directives +// of which we want to be set consistently +// on all cookies administered by us. +type CookiePolicy struct { + Domain string + SameSite http.SameSite + HTTPOnly bool + Secure bool +} + +// NewCookiePolicy will return a new CookiePolicy{} +// object setup according to current instance config. +func NewCookiePolicy() CookiePolicy { + var sameSite http.SameSite + switch s := config.GetAdvancedCookiesSamesite(); s { + case "strict": + sameSite = http.SameSiteStrictMode + case "lax": + sameSite = http.SameSiteLaxMode + default: + log.Warnf(nil, "%s set to %s which is not recognized, defaulting to 'lax'", config.AdvancedCookiesSamesiteFlag(), s) + sameSite = http.SameSiteLaxMode + } + return CookiePolicy{ + Domain: config.GetHost(), + + // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-same-site-00#section-4.1.1 + SameSite: sameSite, + + // forbid javascript from + // inspecting cookie + HTTPOnly: true, + + // only set secure cookie directive over https + Secure: (config.GetProtocol() == "https"), + } +} + +// SetCookie will set the given cookie details according to currently configured CookiePolicy{}. +func (p *CookiePolicy) SetCookie(c *gin.Context, name, value string, maxAge int, path string) { + if path == "" { + path = "/" + } + http.SetCookie(c.Writer, &http.Cookie{ + Name: name, + Value: url.QueryEscape(value), + MaxAge: maxAge, + Path: path, + Domain: p.Domain, + SameSite: p.SameSite, + Secure: p.Secure, + HttpOnly: p.HTTPOnly, + }) +} -- cgit v1.2.3