From a5a9d1304cdecdb8263a677f7019410cab0e9a65 Mon Sep 17 00:00:00 2001
From: Jonathan Leroy <jonathan@harrycow.fr>
Date: Mon, 24 Mar 2025 12:24:50 +0100
Subject: [PATCH] Allow to disable cookies secure flag when needed

---
 cmd/init.go           | 3 ++-
 config.sample.toml    | 3 +++
 internal/auth/auth.go | 7 ++++---
 3 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/cmd/init.go b/cmd/init.go
index a72c6bc..615a929 100644
--- a/cmd/init.go
+++ b/cmd/init.go
@@ -606,7 +606,8 @@ func initAuth(o *oidc.Manager, rd *redis.Client) *auth_.Auth {
 		log.Fatalf("error initializing auth: %v", err)
 	}
 
-	auth, err := auth_.New(auth_.Config{Providers: providers}, rd, lo)
+	secure := !ko.Bool("app.server.disable_secure_cookies")
+	auth, err := auth_.New(auth_.Config{Providers: providers, SecureCookies: secure}, rd, lo)
 	if err != nil {
 		log.Fatalf("error initializing auth: %v", err)
 	}
diff --git a/config.sample.toml b/config.sample.toml
index f072ee6..26abcba 100644
--- a/config.sample.toml
+++ b/config.sample.toml
@@ -8,6 +8,9 @@ check_updates = true
 [app.server]
 address = "0.0.0.0:9000"
 socket = ""
+# Do NOT disable secure cookies in production environment if you don't know
+# exactly what you're doing!
+disable_secure_cookies = false
 read_timeout = "5s"
 write_timeout = "5s"
 max_body_size = 500000000
diff --git a/internal/auth/auth.go b/internal/auth/auth.go
index 9a9b24d..fca0760 100644
--- a/internal/auth/auth.go
+++ b/internal/auth/auth.go
@@ -46,7 +46,8 @@ type Provider struct {
 
 // Config stores multiple OIDC provider configurations
 type Config struct {
-	Providers []Provider
+	Providers     []Provider
+	SecureCookies bool
 }
 
 // Auth is the auth service it manages OIDC authentication and sessions
@@ -92,7 +93,7 @@ func New(cfg Config, rd *redis.Client, logger *logf.Logger) (*Auth, error) {
 		Cookie: simplesessions.CookieOptions{
 			Name:       "libredesk_session",
 			IsHTTPOnly: true,
-			IsSecure:   true,
+			IsSecure:   cfg.SecureCookies,
 			MaxAge:     time.Hour * 9,
 		},
 	})
@@ -282,7 +283,7 @@ func (a *Auth) SetCSRFCookie(r *fastglue.Request) error {
 		csrfCookie.SetKey("csrf_token")
 		csrfCookie.SetValue(token)
 		csrfCookie.SetPath("/")
-		csrfCookie.SetSecure(true)
+		csrfCookie.SetSecure(a.cfg.SecureCookies)
 		csrfCookie.SetHTTPOnly(false)
 		r.RequestCtx.Response.Header.SetCookie(&csrfCookie)
 		return nil