Merge pull request 'fix(backend): make cookie more strict' (#37) from cookie-security into master

Reviewed-on: https://git.freecumextremist.com/grumbulon/pomme/pulls/37

internal/api/auth.go

@@ -98,11 +98,11 @@ func Login(w http.ResponseWriter, r *http.Request) {
 		HttpOnly: true,
 		Expires:  time.Now().Add(1 * time.Hour),
 		MaxAge:   3600,
-		SameSite: http.SameSiteLaxMode,
-		// Uncomment below for HTTPS:
-		// Secure: true,
-		Name:  "jwt", // Must be named "jwt" or else the token cannot be searched for by jwtauth.Verifier.
-		Value: token,
+		SameSite: http.SameSiteStrictMode,
+		// Comment below to disable HTTPS:
+		Secure: true,
+		Name:   "jwt", // Must be named "jwt" or else the token cannot be searched for by jwtauth.Verifier.
+		Value:  token,
 	})
 
 	w.Header().Set("Content-Type", "application/json; charset=utf-8")
@@ -120,10 +120,10 @@ func Logout(w http.ResponseWriter, r *http.Request) {
 	http.SetCookie(w, &http.Cookie{
 		HttpOnly: true,
 		MaxAge:   -1, // Delete the cookie.
-		SameSite: http.SameSiteLaxMode,
-		// Secure: true,
-		Name:  "jwt",
-		Value: "",
+		SameSite: http.SameSiteStrictMode,
+		Secure:   true,
+		Name:     "jwt",
+		Value:    "",
 	})
 
 	w.Header().Set("Content-Type", "application/json; charset=utf-8")

internal/api/users.go

@@ -71,11 +71,11 @@ func NewUser(w http.ResponseWriter, r *http.Request) {
 		HttpOnly: true,
 		Expires:  time.Now().Add(1 * time.Hour),
 		MaxAge:   3600,
-		SameSite: http.SameSiteLaxMode,
-		// Uncomment below for HTTPS:
-		// Secure: true,
-		Name:  "jwt", // Must be named "jwt" or else the token cannot be searched for by jwtauth.Verifier.
-		Value: token,
+		SameSite: http.SameSiteStrictMode,
+		// Comment below to disable HTTPS:
+		Secure: true,
+		Name:   "jwt", // Must be named "jwt" or else the token cannot be searched for by jwtauth.Verifier.
+		Value:  token,
 	})
 
 	w.Header().Set("Content-Type", "application/json; charset=utf-8")