feat: allow insecure cookies (resolve #27)

README.md

@@ -17,7 +17,11 @@ If you like this project, please consider supporting it 🙂. You can donate eit
 
 ## Prerequisites
 **On the server side:**
-* Go > 1.13 (with `$GOPATH` properly set)
+* Go >= 1.13 (with `$GOPATH` properly set)
+* gcc (to compile [go-sqlite3](https://github.com/mattn/go-sqlite3))
+    * Fedora / RHEL: `dnf install @development-tools`
+    * Ubuntu / Debian: `apt install build-essential`
+    * Windows: See [here](https://github.com/mattn/go-sqlite3/issues/214#issuecomment-244604166)
 * _Optional_: A MySQL- or Postgres database
 
 **On your local machine:**

config.ini

@@ -2,6 +2,7 @@
 listen = 127.0.0.1
 port = 3000
 base_path = /
+insecure_cookies = false
 
 [app]
 cleanup = false

middlewares/authenticate.go

@@ -57,7 +57,7 @@ func (m *AuthenticateMiddleware) ServeHTTP(w http.ResponseWriter, r *http.Reques
 		if strings.HasPrefix(r.URL.Path, "/api") {
 			w.WriteHeader(http.StatusUnauthorized)
 		} else {
-			utils.ClearCookie(w, models.AuthCookieKey)
+			utils.ClearCookie(w, models.AuthCookieKey, !m.config.InsecureCookies)
 			http.Redirect(w, r, fmt.Sprintf("%s/?error=unauthorized", m.config.BasePath), http.StatusFound)
 		}
 		return

models/config.go

@@ -34,13 +34,18 @@ type Config struct {
 	PasswordSalt         string
 	SecureCookieHashKey  string
 	SecureCookieBlockKey string
+	InsecureCookies      bool
 	CustomLanguages      map[string]string
 	LanguageColors       map[string]string
 	SecureCookie         *securecookie.SecureCookie
 }
 
 func (c *Config) IsDev() bool {
-	return c.Env == "dev"
+	return IsDev(c.Env)
+}
+
+func IsDev(env string) bool {
+	return env == "dev" || env == "development"
 }
 
 func SetConfig(config *Config) {
@@ -104,6 +109,7 @@ func readConfig() *Config {
 
 	dbMaxConn := cfg.Section("database").Key("max_connections").MustUint(1)
 	addr := cfg.Section("server").Key("listen").MustString("127.0.0.1")
+	insecureCookies := IsDev(env) || cfg.Section("server").Key("insecure_cookies").MustBool(false)
 	port, err := strconv.Atoi(os.Getenv("PORT"))
 	if err != nil {
 		port = cfg.Section("server").Key("port").MustInt()
@@ -164,6 +170,7 @@ func readConfig() *Config {
 		DbDialect:           dbType,
 		DbMaxConn:           dbMaxConn,
 		CleanUp:             cleanUp,
+		InsecureCookies:     insecureCookies,
 		SecureCookie:        secureCookie,
 		PasswordSalt:        passwordSalt,
 		DefaultUserName:     defaultUserName,

routes/public.go

@@ -93,7 +93,7 @@ func (h *IndexHandler) Login(w http.ResponseWriter, r *http.Request) {
 		Name:     models.AuthCookieKey,
 		Value:    encoded,
 		Path:     "/",
-		Secure:   true,
+		Secure:   !h.config.InsecureCookies,
 		HttpOnly: true,
 	}
 	http.SetCookie(w, cookie)
@@ -105,7 +105,7 @@ func (h *IndexHandler) Logout(w http.ResponseWriter, r *http.Request) {
 		loadTemplates()
 	}
 
-	utils.ClearCookie(w, models.AuthCookieKey)
+	utils.ClearCookie(w, models.AuthCookieKey, !h.config.InsecureCookies)
 	http.Redirect(w, r, fmt.Sprintf("%s/", h.config.BasePath), http.StatusFound)
 }
 

utils/http.go

@@ -13,12 +13,12 @@ func RespondJSON(w http.ResponseWriter, status int, object interface{}) {
 	}
 }
 
-func ClearCookie(w http.ResponseWriter, name string) {
+func ClearCookie(w http.ResponseWriter, name string, secure bool) {
 	http.SetCookie(w, &http.Cookie{
 		Name:     name,
 		Value:    "",
 		Path:     "/",
-		Secure:   true,
+		Secure:   secure,
 		HttpOnly: true,
 	})
 }

version.txt

@@ -1 +1 @@
-1.5.4
+1.5.5