From afe1da92c5d0681ccedb725f354b09a9bbbe9c5c Mon Sep 17 00:00:00 2001
From: Nicola Murino <nicola.murino@gmail.com>
Date: Thu, 28 Jan 2021 13:29:16 +0100
Subject: [PATCH] web UI cookie: set the Secure flags if we are over TLS

---
 httpd/auth_utils.go | 4 +++-
 httpd/server.go     | 4 ++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/httpd/auth_utils.go b/httpd/auth_utils.go
index 7bcf44d4..4047b286 100644
--- a/httpd/auth_utils.go
+++ b/httpd/auth_utils.go
@@ -107,7 +107,7 @@ func (c *jwtTokenClaims) createTokenResponse(tokenAuth *jwtauth.JWTAuth) (map[st
 	return response, nil
 }
 
-func (c *jwtTokenClaims) createAndSetCookie(w http.ResponseWriter, tokenAuth *jwtauth.JWTAuth) error {
+func (c *jwtTokenClaims) createAndSetCookie(w http.ResponseWriter, r *http.Request, tokenAuth *jwtauth.JWTAuth) error {
 	resp, err := c.createTokenResponse(tokenAuth)
 	if err != nil {
 		return err
@@ -118,6 +118,7 @@ func (c *jwtTokenClaims) createAndSetCookie(w http.ResponseWriter, tokenAuth *jw
 		Path:     webBasePath,
 		Expires:  time.Now().Add(tokenDuration),
 		HttpOnly: true,
+		Secure:   r.TLS != nil,
 	})
 
 	return nil
@@ -130,6 +131,7 @@ func (c *jwtTokenClaims) removeCookie(w http.ResponseWriter, r *http.Request) {
 		Path:     webBasePath,
 		MaxAge:   -1,
 		HttpOnly: true,
+		Secure:   r.TLS != nil,
 	})
 	invalidateToken(r)
 }
diff --git a/httpd/server.go b/httpd/server.go
index 120911c6..ac385451 100644
--- a/httpd/server.go
+++ b/httpd/server.go
@@ -128,7 +128,7 @@ func (s *httpdServer) handleWebLoginPost(w http.ResponseWriter, r *http.Request)
 		Signature:   admin.GetSignature(),
 	}
 
-	err = c.createAndSetCookie(w, s.tokenAuth)
+	err = c.createAndSetCookie(w, r, s.tokenAuth)
 	if err != nil {
 		renderLoginPage(w, err.Error())
 		return
@@ -224,7 +224,7 @@ func (s *httpdServer) checkCookieExpiration(w http.ResponseWriter, r *http.Reque
 		}
 	}
 	logger.Debug(logSender, "", "cookie refreshed for admin %#v", admin.Username)
-	tokenClaims.createAndSetCookie(w, s.tokenAuth) //nolint:errcheck
+	tokenClaims.createAndSetCookie(w, r, s.tokenAuth) //nolint:errcheck
 }
 
 func (s *httpdServer) updateContextFromCookie(r *http.Request) *http.Request {