diff options
| author | Adam Mathes <adam@adammathes.com> | 2026-02-14 11:02:38 -0800 |
|---|---|---|
| committer | Adam Mathes <adam@adammathes.com> | 2026-02-14 11:02:38 -0800 |
| commit | b47721a02d3fdfb1b6a565df29c85e7c51d8c490 (patch) | |
| tree | f9540e4f7e3a152fd3c9f86f484e97e42f13422f /web | |
| parent | 5e24550cacd0f80ea4ec62dab873e747b2ae86b7 (diff) | |
| download | neko-b47721a02d3fdfb1b6a565df29c85e7c51d8c490.tar.gz neko-b47721a02d3fdfb1b6a565df29c85e7c51d8c490.tar.bz2 neko-b47721a02d3fdfb1b6a565df29c85e7c51d8c490.zip | |
feat: add secure_cookies configuration option\n\n- Added SecureCookies bool field to config.Settings\n- Added --secure-cookies command line flag\n- Updated CSRFMiddleware to use config setting instead of hardcoded value\n- Default is false for local development, set to true for production HTTPS\n- Updated config.example and README.md with documentation\n- Updated tests to pass config to CSRFMiddleware\n\nThis allows users to easily switch between insecure cookies (for local dev)\nand secure cookies (for production HTTPS) via config file or command line.
Diffstat (limited to 'web')
| -rw-r--r-- | web/web.go | 6 | ||||
| -rw-r--r-- | web/web_test.go | 3 |
2 files changed, 5 insertions, 4 deletions
@@ -265,7 +265,7 @@ func NewRouter(cfg *config.Settings) http.Handler { // Removed default root handler for legacy UI - return SecurityHeadersMiddleware(CSRFMiddleware(mux)) + return SecurityHeadersMiddleware(CSRFMiddleware(cfg, mux)) } func Serve(cfg *config.Settings) { @@ -362,7 +362,7 @@ func generateRandomToken(n int) string { return hex.EncodeToString(b) } -func CSRFMiddleware(next http.Handler) http.Handler { +func CSRFMiddleware(cfg *config.Settings, next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { cookie, err := r.Cookie("csrf_token") var token string @@ -374,7 +374,7 @@ func CSRFMiddleware(next http.Handler) http.Handler { Path: "/", HttpOnly: false, // accessible by JS SameSite: http.SameSiteNoneMode, - Secure: false, // Set to true in production with HTTPS + Secure: cfg.SecureCookies, }) } else { token = cookie.Value diff --git a/web/web_test.go b/web/web_test.go index c6cf306..0cd2764 100644 --- a/web/web_test.go +++ b/web/web_test.go @@ -737,7 +737,8 @@ func TestGzipMiddlewareNonCompressible(t *testing.T) { } func TestCSRFMiddleware(t *testing.T) { - handler := CSRFMiddleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + cfg := &config.Settings{SecureCookies: false} + handler := CSRFMiddleware(cfg, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { w.WriteHeader(http.StatusOK) })) |