Merge pull request #2052 from porter-dev/belanger/add-insecure-cookie-opt

Add option to make Porter cookie insecure

api/server/shared/config/env/envconfs.go

@@ -20,6 +20,7 @@ type ServerConf struct {
 	StaticFilePath       string        `env:"STATIC_FILE_PATH,default=/porter/static"`
 	CookieName           string        `env:"COOKIE_NAME,default=porter"`
 	CookieSecrets        []string      `env:"COOKIE_SECRETS,default=random_hash_key_;random_block_key"`
+	CookieInsecure       bool          `env:"COOKIE_INSECURE,default=false"`
 	TokenGeneratorSecret string        `env:"TOKEN_GENERATOR_SECRET,default=secret"`
 	TimeoutRead          time.Duration `env:"SERVER_TIMEOUT_READ,default=5s"`
 	TimeoutWrite         time.Duration `env:"SERVER_TIMEOUT_WRITE,default=10s"`

api/server/shared/config/loader/loader.go

@@ -91,6 +91,7 @@ func (e *EnvConfigLoader) LoadConfig() (res *config.Config, err error) {
 		&sessionstore.NewStoreOpts{
 			SessionRepository: res.Repo.Session(),
 			CookieSecrets:     envConf.ServerConf.CookieSecrets,
+			Insecure:          envConf.ServerConf.CookieInsecure,
 		},
 	)
 

internal/auth/sessionstore/sessionstore.go

@@ -111,6 +111,8 @@ func (store *PGStore) save(session *sessions.Session) error {
 type NewStoreOpts struct {
 	SessionRepository repository.SessionRepository
 	CookieSecrets     []string
+
+	Insecure bool
 }
 
 // NewStore takes an initialized db and session key pairs to create a session-store in postgres db.
@@ -126,7 +128,7 @@ func NewStore(opts *NewStoreOpts) (*PGStore, error) {
 		Options: &sessions.Options{
 			Path:     "/",
 			MaxAge:   86400 * 30,
-			Secure:   true,
+			Secure:   !opts.Insecure,
 			HttpOnly: true,
 			SameSite: http.SameSiteLaxMode,
 		},