diff --git a/README.md b/README.md index d7f7eff..34693ea 100644 --- a/README.md +++ b/README.md @@ -17,7 +17,11 @@ If you like this project, please consider supporting it 🙂. You can donate eit ## Prerequisites **On the server side:** -* Go > 1.13 (with `$GOPATH` properly set) +* Go >= 1.13 (with `$GOPATH` properly set) +* gcc (to compile [go-sqlite3](https://github.com/mattn/go-sqlite3)) + * Fedora / RHEL: `dnf install @development-tools` + * Ubuntu / Debian: `apt install build-essential` + * Windows: See [here](https://github.com/mattn/go-sqlite3/issues/214#issuecomment-244604166) * _Optional_: A MySQL- or Postgres database **On your local machine:** diff --git a/config.ini b/config.ini index 7f3fc25..e8a7bd4 100644 --- a/config.ini +++ b/config.ini @@ -2,6 +2,7 @@ listen = 127.0.0.1 port = 3000 base_path = / +insecure_cookies = false [app] cleanup = false diff --git a/middlewares/authenticate.go b/middlewares/authenticate.go index 4298795..03646d7 100644 --- a/middlewares/authenticate.go +++ b/middlewares/authenticate.go @@ -57,7 +57,7 @@ func (m *AuthenticateMiddleware) ServeHTTP(w http.ResponseWriter, r *http.Reques if strings.HasPrefix(r.URL.Path, "/api") { w.WriteHeader(http.StatusUnauthorized) } else { - utils.ClearCookie(w, models.AuthCookieKey) + utils.ClearCookie(w, models.AuthCookieKey, !m.config.InsecureCookies) http.Redirect(w, r, fmt.Sprintf("%s/?error=unauthorized", m.config.BasePath), http.StatusFound) } return diff --git a/models/config.go b/models/config.go index 39fcdae..d3b1f31 100644 --- a/models/config.go +++ b/models/config.go @@ -34,13 +34,18 @@ type Config struct { PasswordSalt string SecureCookieHashKey string SecureCookieBlockKey string + InsecureCookies bool CustomLanguages map[string]string LanguageColors map[string]string SecureCookie *securecookie.SecureCookie } func (c *Config) IsDev() bool { - return c.Env == "dev" + return IsDev(c.Env) +} + +func IsDev(env string) bool { + return env == "dev" || env == "development" } func SetConfig(config *Config) { @@ -104,6 +109,7 @@ func readConfig() *Config { dbMaxConn := cfg.Section("database").Key("max_connections").MustUint(1) addr := cfg.Section("server").Key("listen").MustString("127.0.0.1") + insecureCookies := IsDev(env) || cfg.Section("server").Key("insecure_cookies").MustBool(false) port, err := strconv.Atoi(os.Getenv("PORT")) if err != nil { port = cfg.Section("server").Key("port").MustInt() @@ -164,6 +170,7 @@ func readConfig() *Config { DbDialect: dbType, DbMaxConn: dbMaxConn, CleanUp: cleanUp, + InsecureCookies: insecureCookies, SecureCookie: secureCookie, PasswordSalt: passwordSalt, DefaultUserName: defaultUserName, diff --git a/routes/public.go b/routes/public.go index 9c7a5ce..69ee0e0 100644 --- a/routes/public.go +++ b/routes/public.go @@ -93,7 +93,7 @@ func (h *IndexHandler) Login(w http.ResponseWriter, r *http.Request) { Name: models.AuthCookieKey, Value: encoded, Path: "/", - Secure: true, + Secure: !h.config.InsecureCookies, HttpOnly: true, } http.SetCookie(w, cookie) @@ -105,7 +105,7 @@ func (h *IndexHandler) Logout(w http.ResponseWriter, r *http.Request) { loadTemplates() } - utils.ClearCookie(w, models.AuthCookieKey) + utils.ClearCookie(w, models.AuthCookieKey, !h.config.InsecureCookies) http.Redirect(w, r, fmt.Sprintf("%s/", h.config.BasePath), http.StatusFound) } diff --git a/utils/http.go b/utils/http.go index b60e9ee..b003578 100644 --- a/utils/http.go +++ b/utils/http.go @@ -13,12 +13,12 @@ func RespondJSON(w http.ResponseWriter, status int, object interface{}) { } } -func ClearCookie(w http.ResponseWriter, name string) { +func ClearCookie(w http.ResponseWriter, name string, secure bool) { http.SetCookie(w, &http.Cookie{ Name: name, Value: "", Path: "/", - Secure: true, + Secure: secure, HttpOnly: true, }) } diff --git a/version.txt b/version.txt index 63ebd3f..5ebba4f 100644 --- a/version.txt +++ b/version.txt @@ -1 +1 @@ -1.5.4 \ No newline at end of file +1.5.5 \ No newline at end of file