From 2ffb86daa51bfcacde580e4212706895587025bc Mon Sep 17 00:00:00 2001
From: Runxi Yu <me@runxiyu.org>
Date: Mon, 19 Aug 2024 08:00:00 +0800
Subject: [PATCH] oidc.go: Set cookie to Secure when prod=true

---
 config.go         | 3 +++
 fbfp.scfg.example | 4 ++++
 oidc.go           | 1 +
 3 files changed, 8 insertions(+)

diff --git a/config.go b/config.go
index e53a4a5..71b791f 100644
--- a/config.go
+++ b/config.go
@@ -37,6 +37,7 @@ import (
 
 var config_with_pointers struct {
 	Url    *string `scfg:"url"`
+	Prod   *bool   `scfg:"prod"`
 	Tmpl   *string `scfg:"tmpl"`
 	Static *bool   `scfg:"static"`
 	Listen struct {
@@ -57,6 +58,7 @@ var config_with_pointers struct {
 
 var config struct {
 	Url    string
+	Prod   bool
 	Tmpl   string
 	Static bool
 	Listen struct {
@@ -87,6 +89,7 @@ func fbfp_get_config(path string) {
 	 * There should be better ways to handle this.
 	 */
 	config.Url = *(config_with_pointers.Url)
+	config.Prod = *(config_with_pointers.Prod)
 	config.Tmpl = *(config_with_pointers.Tmpl)
 	config.Static = *(config_with_pointers.Static)
 	config.Listen.Addr = *(config_with_pointers.Listen.Addr)
diff --git a/fbfp.scfg.example b/fbfp.scfg.example
index 2868c8e..0e72f37 100644
--- a/fbfp.scfg.example
+++ b/fbfp.scfg.example
@@ -2,6 +2,10 @@
 # and some user-accessible URLs.
 url http://localhost
 
+# Should we run in production mode? This causes the Secure flag to be set on
+# cookies and may come with other production-related changes in the future.
+prod true
+
 # Where is the tmpl directory? Usually this should be a directory inside
 # the fbfp source directory, though it might exist in /usr/local/share or
 # /usr/share if this ever gets packaged or something.
diff --git a/oidc.go b/oidc.go
index ec31664..aeb2304 100644
--- a/oidc.go
+++ b/oidc.go
@@ -245,6 +245,7 @@ func handle_oidc(w http.ResponseWriter, req *http.Request) {
 		Value:    cookie_value,
 		SameSite: http.SameSiteLaxMode,
 		HttpOnly: true,
+		Secure:   config.Prod,
 	}
 
 	http.SetCookie(w, &cookie)
-- 
2.11.4.GIT