feat: add HTTPS-aware session cookie helpers
This commit is contained in:
58
internal/auth/cookie.go
Normal file
58
internal/auth/cookie.go
Normal file
@@ -0,0 +1,58 @@
|
||||
package auth
|
||||
|
||||
import (
|
||||
"net/http"
|
||||
"strings"
|
||||
|
||||
"mal/internal/domain"
|
||||
|
||||
"github.com/gin-gonic/gin"
|
||||
)
|
||||
|
||||
const sessionCookieName = "session_id"
|
||||
|
||||
func setSessionCookie(c *gin.Context, value string, maxAge int) {
|
||||
http.SetCookie(c.Writer, &http.Cookie{
|
||||
Name: sessionCookieName,
|
||||
Value: value,
|
||||
Path: "/",
|
||||
MaxAge: maxAge,
|
||||
Secure: isHTTPSRequest(c.Request),
|
||||
HttpOnly: true,
|
||||
SameSite: http.SameSiteLaxMode,
|
||||
})
|
||||
}
|
||||
|
||||
func setPersistentSessionCookie(c *gin.Context, value string) {
|
||||
setSessionCookie(c, value, int(domain.SessionLifetime.Seconds()))
|
||||
}
|
||||
|
||||
func clearSessionCookie(c *gin.Context) {
|
||||
setSessionCookie(c, "", -1)
|
||||
}
|
||||
|
||||
func isHTTPSRequest(r *http.Request) bool {
|
||||
if r.TLS != nil {
|
||||
return true
|
||||
}
|
||||
|
||||
proto := r.Header.Get("X-Forwarded-Proto")
|
||||
if i := strings.IndexByte(proto, ','); i >= 0 {
|
||||
proto = proto[:i]
|
||||
}
|
||||
if strings.EqualFold(strings.TrimSpace(proto), "https") {
|
||||
return true
|
||||
}
|
||||
|
||||
forwarded := r.Header.Values("Forwarded")
|
||||
for _, value := range forwarded {
|
||||
for _, part := range strings.Split(value, ";") {
|
||||
key, val, ok := strings.Cut(strings.TrimSpace(part), "=")
|
||||
if ok && strings.EqualFold(key, "proto") && strings.EqualFold(strings.Trim(val, `"`), "https") {
|
||||
return true
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return false
|
||||
}
|
||||
Reference in New Issue
Block a user