feat: add HTTPS-aware session cookie helpers

This commit is contained in:
2026-06-27 21:05:09 +02:00
parent 63221d72dc
commit 6edb93d5af

58
internal/auth/cookie.go Normal file
View File

@@ -0,0 +1,58 @@
package auth
import (
"net/http"
"strings"
"mal/internal/domain"
"github.com/gin-gonic/gin"
)
const sessionCookieName = "session_id"
func setSessionCookie(c *gin.Context, value string, maxAge int) {
http.SetCookie(c.Writer, &http.Cookie{
Name: sessionCookieName,
Value: value,
Path: "/",
MaxAge: maxAge,
Secure: isHTTPSRequest(c.Request),
HttpOnly: true,
SameSite: http.SameSiteLaxMode,
})
}
func setPersistentSessionCookie(c *gin.Context, value string) {
setSessionCookie(c, value, int(domain.SessionLifetime.Seconds()))
}
func clearSessionCookie(c *gin.Context) {
setSessionCookie(c, "", -1)
}
func isHTTPSRequest(r *http.Request) bool {
if r.TLS != nil {
return true
}
proto := r.Header.Get("X-Forwarded-Proto")
if i := strings.IndexByte(proto, ','); i >= 0 {
proto = proto[:i]
}
if strings.EqualFold(strings.TrimSpace(proto), "https") {
return true
}
forwarded := r.Header.Values("Forwarded")
for _, value := range forwarded {
for _, part := range strings.Split(value, ";") {
key, val, ok := strings.Cut(strings.TrimSpace(part), "=")
if ok && strings.EqualFold(key, "proto") && strings.EqualFold(strings.Trim(val, `"`), "https") {
return true
}
}
}
return false
}