web UI cookie: set the Secure flags if we are over TLS

2024-11-21 23:20:24 +00:00 · 2021-01-28 13:29:16 +01:00 · 2021-01-28 13:29:16 +01:00 · afe1da92c5
commit afe1da92c5
parent 9985224966
2 changed files with 5 additions and 3 deletions
--- a/httpd/auth_utils.go
+++ b/httpd/auth_utils.go
@ -107,7 +107,7 @@ func (c *jwtTokenClaims) createTokenResponse(tokenAuth *jwtauth.JWTAuth) (map[st
 	return response, nil
 }

-func (c *jwtTokenClaims) createAndSetCookie(w http.ResponseWriter, tokenAuth *jwtauth.JWTAuth) error {
+func (c *jwtTokenClaims) createAndSetCookie(w http.ResponseWriter, r *http.Request, tokenAuth *jwtauth.JWTAuth) error {
 	resp, err := c.createTokenResponse(tokenAuth)
 	if err != nil {
 		return err
@ -118,6 +118,7 @@ func (c *jwtTokenClaims) createAndSetCookie(w http.ResponseWriter, tokenAuth *jw
 		Path:     webBasePath,
 		Expires:  time.Now().Add(tokenDuration),
 		HttpOnly: true,
+		Secure:   r.TLS != nil,
 	})

 	return nil
@ -130,6 +131,7 @@ func (c *jwtTokenClaims) removeCookie(w http.ResponseWriter, r *http.Request) {
 		Path:     webBasePath,
 		MaxAge:   -1,
 		HttpOnly: true,
+		Secure:   r.TLS != nil,
 	})
 	invalidateToken(r)
 }
--- a/httpd/server.go
+++ b/httpd/server.go
@ -128,7 +128,7 @@ func (s *httpdServer) handleWebLoginPost(w http.ResponseWriter, r *http.Request)
 		Signature:   admin.GetSignature(),
 	}

-	err = c.createAndSetCookie(w, s.tokenAuth)
+	err = c.createAndSetCookie(w, r, s.tokenAuth)
 	if err != nil {
 		renderLoginPage(w, err.Error())
 		return
@ -224,7 +224,7 @@ func (s *httpdServer) checkCookieExpiration(w http.ResponseWriter, r *http.Reque
 		}
 	}
 	logger.Debug(logSender, "", "cookie refreshed for admin %#v", admin.Username)
-	tokenClaims.createAndSetCookie(w, s.tokenAuth) //nolint:errcheck
+	tokenClaims.createAndSetCookie(w, r, s.tokenAuth) //nolint:errcheck
 }

 func (s *httpdServer) updateContextFromCookie(r *http.Request) *http.Request {