From 5460271bb51290c2b0acf2f00001096e2b12c3e2 Mon Sep 17 00:00:00 2001
From: Tobi Smethurst <31960611+tsmethurst@users.noreply.github.com>
Date: Thu, 8 Jul 2021 11:32:31 +0200
Subject: Auth flow fixes (#82)

* preliminary fixes to broken auth flow

* fix some auth/cookie weirdness

* fmt
---
 internal/router/session.go | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'internal/router')

diff --git a/internal/router/session.go b/internal/router/session.go
index a1ac09d28..2d00f7677 100644
--- a/internal/router/session.go
+++ b/internal/router/session.go
@@ -22,6 +22,7 @@ import (
 	"crypto/rand"
 	"errors"
 	"fmt"
+	"net/http"
 
 	"github.com/gin-contrib/sessions"
 	"github.com/gin-contrib/sessions/memstore"
@@ -63,6 +64,14 @@ func useSession(cfg *config.Config, dbService db.DB, engine *gin.Engine) error {
 	}
 
 	store := memstore.NewStore(rs.Auth, rs.Crypt)
+	store.Options(sessions.Options{
+		Path:     "/",
+		Domain:   cfg.Host,
+		MaxAge:   120,                     // 2 minutes
+		Secure:   true,                    // only use cookie over https
+		HttpOnly: true,                    // exclude javascript from inspecting cookie
+		SameSite: http.SameSiteStrictMode, // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-same-site-00#section-4.1.1
+	})
 	sessionName := fmt.Sprintf("gotosocial-%s", cfg.Host)
 	engine.Use(sessions.Sessions(sessionName, store))
 	return nil
-- 
cgit v1.2.3