From f966ca8b833adf05b52b21d76d3118a42cb06711 Mon Sep 17 00:00:00 2001 From: yusing Date: Fri, 28 Mar 2025 08:51:45 +0800 Subject: [PATCH] feat: update cookie security settings to use API_JWT_SECURE environment variable --- internal/api/v1/auth/oidc.go | 2 +- internal/api/v1/auth/utils.go | 4 +++- internal/common/env.go | 1 + 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/internal/api/v1/auth/oidc.go b/internal/api/v1/auth/oidc.go index 125c6083..2643a990 100644 --- a/internal/api/v1/auth/oidc.go +++ b/internal/api/v1/auth/oidc.go @@ -197,7 +197,7 @@ func (auth *OIDCProvider) RedirectLoginPage(w http.ResponseWriter, r *http.Reque MaxAge: 300, HttpOnly: true, SameSite: http.SameSiteLaxMode, - Secure: r.TLS != nil, + Secure: common.APIJWTSecure, Path: "/", }) diff --git a/internal/api/v1/auth/utils.go b/internal/api/v1/auth/utils.go index bd7f9a84..db0501df 100644 --- a/internal/api/v1/auth/utils.go +++ b/internal/api/v1/auth/utils.go @@ -5,6 +5,7 @@ import ( "net/http" "time" + "github.com/yusing/go-proxy/internal/common" "github.com/yusing/go-proxy/internal/gperr" "github.com/yusing/go-proxy/internal/utils/strutils" ) @@ -43,7 +44,7 @@ func setTokenCookie(w http.ResponseWriter, r *http.Request, name, value string, MaxAge: int(ttl.Seconds()), Domain: cookieFQDN(r), HttpOnly: true, - Secure: r.TLS != nil, + Secure: common.APIJWTSecure, SameSite: http.SameSiteLaxMode, Path: "/", }) @@ -56,6 +57,7 @@ func clearTokenCookie(w http.ResponseWriter, r *http.Request, name string) { MaxAge: -1, Domain: cookieFQDN(r), HttpOnly: true, + Secure: common.APIJWTSecure, SameSite: http.SameSiteLaxMode, Path: "/", }) diff --git a/internal/common/env.go b/internal/common/env.go index 75f33dcb..9df4cb77 100644 --- a/internal/common/env.go +++ b/internal/common/env.go @@ -36,6 +36,7 @@ var ( PrometheusEnabled = GetEnvBool("PROMETHEUS_ENABLED", false) + APIJWTSecure = GetEnvBool("API_JWT_SECURE", true) APIJWTSecret = decodeJWTKey(GetEnvString("API_JWT_SECRET", "")) APIJWTTokenTTL = GetDurationEnv("API_JWT_TOKEN_TTL", time.Hour) APIUser = GetEnvString("API_USER", "admin")