From 5d52caab7008087ff72cfa1b42f3f3a5082cac0a Mon Sep 17 00:00:00 2001 From: Sam Therapy Date: Mon, 20 Feb 2023 18:05:09 +0100 Subject: [PATCH] fix(backend): make cookie more strict THIS IS STILL NOT ENOUGH! Signed-off-by: Sam Therapy --- internal/api/auth.go | 18 +++++++++--------- internal/api/users.go | 10 +++++----- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/internal/api/auth.go b/internal/api/auth.go index 1a10922..636d8d0 100644 --- a/internal/api/auth.go +++ b/internal/api/auth.go @@ -98,11 +98,11 @@ func Login(w http.ResponseWriter, r *http.Request) { HttpOnly: true, Expires: time.Now().Add(1 * time.Hour), MaxAge: 3600, - SameSite: http.SameSiteLaxMode, - // Uncomment below for HTTPS: - // Secure: true, - Name: "jwt", // Must be named "jwt" or else the token cannot be searched for by jwtauth.Verifier. - Value: token, + SameSite: http.SameSiteStrictMode, + // Comment below to disable HTTPS: + Secure: true, + Name: "jwt", // Must be named "jwt" or else the token cannot be searched for by jwtauth.Verifier. + Value: token, }) w.Header().Set("Content-Type", "application/json; charset=utf-8") @@ -120,10 +120,10 @@ func Logout(w http.ResponseWriter, r *http.Request) { http.SetCookie(w, &http.Cookie{ HttpOnly: true, MaxAge: -1, // Delete the cookie. - SameSite: http.SameSiteLaxMode, - // Secure: true, - Name: "jwt", - Value: "", + SameSite: http.SameSiteStrictMode, + Secure: true, + Name: "jwt", + Value: "", }) w.Header().Set("Content-Type", "application/json; charset=utf-8") diff --git a/internal/api/users.go b/internal/api/users.go index b681fb8..1290213 100644 --- a/internal/api/users.go +++ b/internal/api/users.go @@ -71,11 +71,11 @@ func NewUser(w http.ResponseWriter, r *http.Request) { HttpOnly: true, Expires: time.Now().Add(1 * time.Hour), MaxAge: 3600, - SameSite: http.SameSiteLaxMode, - // Uncomment below for HTTPS: - // Secure: true, - Name: "jwt", // Must be named "jwt" or else the token cannot be searched for by jwtauth.Verifier. - Value: token, + SameSite: http.SameSiteStrictMode, + // Comment below to disable HTTPS: + Secure: true, + Name: "jwt", // Must be named "jwt" or else the token cannot be searched for by jwtauth.Verifier. + Value: token, }) w.Header().Set("Content-Type", "application/json; charset=utf-8")