Allow to disable cookies secure flag when needed

cmd/init.go

@@ -606,7 +606,8 @@ func initAuth(o *oidc.Manager, rd *redis.Client) *auth_.Auth {
 		log.Fatalf("error initializing auth: %v", err)
 	}
 
-	auth, err := auth_.New(auth_.Config{Providers: providers}, rd, lo)
+	secure := !ko.Bool("app.server.disable_secure_cookies")
+	auth, err := auth_.New(auth_.Config{Providers: providers, SecureCookies: secure}, rd, lo)
 	if err != nil {
 		log.Fatalf("error initializing auth: %v", err)
 	}

config.sample.toml

@@ -8,6 +8,9 @@ check_updates = true
 [app.server]
 address = "0.0.0.0:9000"
 socket = ""
+# Do NOT disable secure cookies in production environment if you don't know
+# exactly what you're doing!
+disable_secure_cookies = false
 read_timeout = "5s"
 write_timeout = "5s"
 max_body_size = 500000000

internal/auth/auth.go

@@ -46,7 +46,8 @@ type Provider struct {
 
 // Config stores multiple OIDC provider configurations
 type Config struct {
-	Providers []Provider
+	Providers     []Provider
+	SecureCookies bool
 }
 
 // Auth is the auth service it manages OIDC authentication and sessions
@@ -92,7 +93,7 @@ func New(cfg Config, rd *redis.Client, logger *logf.Logger) (*Auth, error) {
 		Cookie: simplesessions.CookieOptions{
 			Name:       "libredesk_session",
 			IsHTTPOnly: true,
-			IsSecure:   true,
+			IsSecure:   cfg.SecureCookies,
 			MaxAge:     time.Hour * 9,
 		},
 	})
@@ -282,7 +283,7 @@ func (a *Auth) SetCSRFCookie(r *fastglue.Request) error {
 		csrfCookie.SetKey("csrf_token")
 		csrfCookie.SetValue(token)
 		csrfCookie.SetPath("/")
-		csrfCookie.SetSecure(true)
+		csrfCookie.SetSecure(a.cfg.SecureCookies)
 		csrfCookie.SetHTTPOnly(false)
 		r.RequestCtx.Response.Header.SetCookie(&csrfCookie)
 		return nil