From 195bd1bc6ab757c599ad12609beb76bb65420257 Mon Sep 17 00:00:00 2001
From: ruessej <85690286+ruessej@users.noreply.github.com>
Date: Mon, 12 Sep 2022 14:37:42 +0200
Subject: [PATCH 1/3] Add a option to disable httpOnly cookies

---
 server/constants/env.go       |  4 ++++
 server/cookie/admin_cookie.go | 23 +++++++++++++++++++----
 server/cookie/cookie.go       | 23 +++++++++++++++++++----
 server/env/env.go             | 28 ++++++++++++++++++++++++++++
 4 files changed, 70 insertions(+), 8 deletions(-)

diff --git a/server/constants/env.go b/server/constants/env.go
index a32f64d..a675dcc 100644
--- a/server/constants/env.go
+++ b/server/constants/env.go
@@ -49,6 +49,10 @@ const (
 	EnvKeySenderEmail = "SENDER_EMAIL"
 	// EnvKeyIsEmailServiceEnabled key for env variable IS_EMAIL_SERVICE_ENABLED
 	EnvKeyIsEmailServiceEnabled = "IS_EMAIL_SERVICE_ENABLED"
+	// EnvKeyAppCookieSecure key for env variable APP_COOKIE_SECURE
+	EnvKeyAppCookieSecure = "APP_COOKIE_SECURE"
+	// EnvKeyAdminCookieSecure key for env variable ADMIN_COOKIE_SECURE
+	EnvKeyAdminCookieSecure = "ADMIN_COOKIE_SECURE"
 	// EnvKeyJwtType key for env variable JWT_TYPE
 	EnvKeyJwtType = "JWT_TYPE"
 	// EnvKeyJwtSecret key for env variable JWT_SECRET
diff --git a/server/cookie/admin_cookie.go b/server/cookie/admin_cookie.go
index 6b64767..f03a945 100644
--- a/server/cookie/admin_cookie.go
+++ b/server/cookie/admin_cookie.go
@@ -3,15 +3,24 @@ package cookie
 import (
 	"net/url"
 
+	log "github.com/sirupsen/logrus"
+
 	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/memorystore"
 	"github.com/authorizerdev/authorizer/server/parsers"
 	"github.com/gin-gonic/gin"
 )
 
 // SetAdminCookie sets the admin cookie in the response
 func SetAdminCookie(gc *gin.Context, token string) {
-	secure := true
-	httpOnly := true
+	adminCookieSecure, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyAdminCookieSecure)
+	if err != nil {
+		log.Debug("Error while getting admin cookie secure from env variable: %v", err)
+		adminCookieSecure = true
+	}
+
+	secure := adminCookieSecure
+	httpOnly := adminCookieSecure
 	hostname := parsers.GetHost(gc)
 	host, _ := parsers.GetHostParts(hostname)
 	gc.SetCookie(constants.AdminCookieName, token, 3600, "/", host, secure, httpOnly)
@@ -35,8 +44,14 @@ func GetAdminCookie(gc *gin.Context) (string, error) {
 
 // DeleteAdminCookie sets the response cookie to empty
 func DeleteAdminCookie(gc *gin.Context) {
-	secure := true
-	httpOnly := true
+	adminCookieSecure, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyAdminCookieSecure)
+	if err != nil {
+		log.Debug("Error while getting admin cookie secure from env variable: %v", err)
+		adminCookieSecure = true
+	}
+
+	secure := adminCookieSecure
+	httpOnly := adminCookieSecure
 	hostname := parsers.GetHost(gc)
 	host, _ := parsers.GetHostParts(hostname)
 	gc.SetCookie(constants.AdminCookieName, "", -1, "/", host, secure, httpOnly)
diff --git a/server/cookie/cookie.go b/server/cookie/cookie.go
index 73c60ea..27b0579 100644
--- a/server/cookie/cookie.go
+++ b/server/cookie/cookie.go
@@ -4,15 +4,24 @@ import (
 	"net/http"
 	"net/url"
 
+	log "github.com/sirupsen/logrus"
+
 	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/memorystore"
 	"github.com/authorizerdev/authorizer/server/parsers"
 	"github.com/gin-gonic/gin"
 )
 
 // SetSession sets the session cookie in the response
 func SetSession(gc *gin.Context, sessionID string) {
-	secure := true
-	httpOnly := true
+	appCookieSecure, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyAppCookieSecure)
+	if err != nil {
+		log.Debug("Error while getting app cookie secure from env variable: %v", err)
+		appCookieSecure = true
+	}
+
+	secure := appCookieSecure
+	httpOnly := appCookieSecure
 	hostname := parsers.GetHost(gc)
 	host, _ := parsers.GetHostParts(hostname)
 	domain := parsers.GetDomainName(hostname)
@@ -30,8 +39,14 @@ func SetSession(gc *gin.Context, sessionID string) {
 
 // DeleteSession sets session cookies to expire
 func DeleteSession(gc *gin.Context) {
-	secure := true
-	httpOnly := true
+	appCookieSecure, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyAppCookieSecure)
+	if err != nil {
+		log.Debug("Error while getting app cookie secure from env variable: %v", err)
+		appCookieSecure = true
+	}
+
+	secure := appCookieSecure
+	httpOnly := appCookieSecure
 	hostname := parsers.GetHost(gc)
 	host, _ := parsers.GetHostParts(hostname)
 	domain := parsers.GetDomainName(hostname)
diff --git a/server/env/env.go b/server/env/env.go
index 1d30cfe..078b690 100644
--- a/server/env/env.go
+++ b/server/env/env.go
@@ -79,6 +79,8 @@ func InitAllEnv() error {
 	osOrganizationLogo := os.Getenv(constants.EnvKeyOrganizationLogo)
 
 	// os bool vars
+	osAppCookieSecure := os.Getenv(constants.EnvKeyAppCookieSecure)
+	osAdminCookieSecure := os.Getenv(constants.EnvKeyAdminCookieSecure)
 	osDisableBasicAuthentication := os.Getenv(constants.EnvKeyDisableBasicAuthentication)
 	osDisableEmailVerification := os.Getenv(constants.EnvKeyDisableEmailVerification)
 	osDisableMagicLinkLogin := os.Getenv(constants.EnvKeyDisableMagicLinkLogin)
@@ -417,6 +419,32 @@ func InitAllEnv() error {
 		envData[constants.EnvKeyOrganizationLogo] = osOrganizationLogo
 	}
 
+	if _, ok := envData[constants.EnvKeyAppCookieSecure]; !ok {
+		envData[constants.EnvKeyAppCookieSecure] = osAppCookieSecure == "true"
+	}
+	if osAppCookieSecure != "" {
+		boolValue, err := strconv.ParseBool(osAppCookieSecure)
+		if err != nil {
+			return err
+		}
+		if boolValue != envData[constants.EnvKeyAppCookieSecure].(bool) {
+			envData[constants.EnvKeyAppCookieSecure] = boolValue
+		}
+	}
+
+	if _, ok := envData[constants.EnvKeyAdminCookieSecure]; !ok {
+		envData[constants.EnvKeyAdminCookieSecure] = osAdminCookieSecure == "true"
+	}
+	if osAdminCookieSecure != "" {
+		boolValue, err := strconv.ParseBool(osAdminCookieSecure)
+		if err != nil {
+			return err
+		}
+		if boolValue != envData[constants.EnvKeyAdminCookieSecure].(bool) {
+			envData[constants.EnvKeyAdminCookieSecure] = boolValue
+		}
+	}
+
 	if _, ok := envData[constants.EnvKeyDisableBasicAuthentication]; !ok {
 		envData[constants.EnvKeyDisableBasicAuthentication] = osDisableBasicAuthentication == "true"
 	}

From 8e0c5e4380beed367c8556f47f198d7ce94a12a7 Mon Sep 17 00:00:00 2001
From: Jerebtw <49494752+jerebtw@users.noreply.github.com>
Date: Wed, 14 Sep 2022 11:55:47 +0200
Subject: [PATCH 2/3] Make the default value true

---
 server/env/env.go | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/server/env/env.go b/server/env/env.go
index 078b690..c77c83b 100644
--- a/server/env/env.go
+++ b/server/env/env.go
@@ -420,7 +420,11 @@ func InitAllEnv() error {
 	}
 
 	if _, ok := envData[constants.EnvKeyAppCookieSecure]; !ok {
-		envData[constants.EnvKeyAppCookieSecure] = osAppCookieSecure == "true"
+		if osAppCookieSecure == "" {
+			envData[constants.EnvKeyAppCookieSecure] = "true"
+		} else {
+			envData[constants.EnvKeyAppCookieSecure] = osAppCookieSecure == "true"
+		}
 	}
 	if osAppCookieSecure != "" {
 		boolValue, err := strconv.ParseBool(osAppCookieSecure)
@@ -433,7 +437,11 @@ func InitAllEnv() error {
 	}
 
 	if _, ok := envData[constants.EnvKeyAdminCookieSecure]; !ok {
-		envData[constants.EnvKeyAdminCookieSecure] = osAdminCookieSecure == "true"
+		if osAdminCookieSecure == "" {
+			envData[constants.EnvKeyAdminCookieSecure] = "true"
+		} else {
+			envData[constants.EnvKeyAdminCookieSecure] = osAdminCookieSecure == "true"
+		}
 	}
 	if osAdminCookieSecure != "" {
 		boolValue, err := strconv.ParseBool(osAdminCookieSecure)

From 6085c2d5352b72dcfbd8a4fadc1a42717003af9d Mon Sep 17 00:00:00 2001
From: ruessej <J.Ruesse@muenchen.creditreform.de>
Date: Wed, 14 Sep 2022 12:24:19 +0200
Subject: [PATCH 3/3] Fix incorrect type

---
 server/env/env.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/server/env/env.go b/server/env/env.go
index c77c83b..62b572f 100644
--- a/server/env/env.go
+++ b/server/env/env.go
@@ -421,7 +421,7 @@ func InitAllEnv() error {
 
 	if _, ok := envData[constants.EnvKeyAppCookieSecure]; !ok {
 		if osAppCookieSecure == "" {
-			envData[constants.EnvKeyAppCookieSecure] = "true"
+			envData[constants.EnvKeyAppCookieSecure] = true
 		} else {
 			envData[constants.EnvKeyAppCookieSecure] = osAppCookieSecure == "true"
 		}
@@ -438,7 +438,7 @@ func InitAllEnv() error {
 
 	if _, ok := envData[constants.EnvKeyAdminCookieSecure]; !ok {
 		if osAdminCookieSecure == "" {
-			envData[constants.EnvKeyAdminCookieSecure] = "true"
+			envData[constants.EnvKeyAdminCookieSecure] = true
 		} else {
 			envData[constants.EnvKeyAdminCookieSecure] = osAdminCookieSecure == "true"
 		}