handle token cookies if env is local

broneks · Nov 25, 2024 · 457c2da · 457c2da
1 parent 5f4b448
commit 457c2da
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 6 deletions.
diff --git a/api/service/authservice/new_access_token_cookie.go b/api/service/authservice/new_access_token_cookie.go
@@ -2,21 +2,30 @@ package authservice
 
 import (
 	"net/http"
+	"os"
 	"time"
 )
 
 func (svc *AuthService) NewAccessTokenCookie(value string) *http.Cookie {
+	env := os.Getenv("ENV")
+
 	cookie := &http.Cookie{
 		Name:     "piccolo-access-token",
 		Value:    value,
 		HttpOnly: true,
-		Secure:   false, // TODO change this for production
-		// SameSite: http.SameSiteStrictMode, // Prevents CSRF by restricting cross-site cookie transmission TODO
-		Path: "/",
+		Secure:   true,
+		SameSite: http.SameSiteStrictMode,
+		Path:     "/",
+	}
+
+	if env == "local" {
+		cookie.Secure = false
+		cookie.SameSite = http.SameSiteNoneMode
 	}
 
 	if value == "" {
 		cookie.Expires = time.Unix(0, 0)
+		cookie.MaxAge = -1
 	}
 
 	return cookie

diff --git a/api/service/authservice/new_refresh_token_cookie.go b/api/service/authservice/new_refresh_token_cookie.go
@@ -2,21 +2,30 @@ package authservice
 
 import (
 	"net/http"
+	"os"
 	"time"
 )
 
 func (svc *AuthService) NewRefreshTokenCookie(value string) *http.Cookie {
+	env := os.Getenv("ENV")
+
 	cookie := &http.Cookie{
 		Name:     "piccolo-refresh-token",
 		Value:    value,
 		HttpOnly: true,
-		Secure:   false, // TODO change this for production
-		// SameSite: http.SameSiteStrictMode, // Prevents CSRF by restricting cross-site cookie transmission TODO
-		Path: "/",
+		Secure:   true,
+		SameSite: http.SameSiteStrictMode,
+		Path:     "/",
+	}
+
+	if env == "local" {
+		cookie.Secure = false
+		cookie.SameSite = http.SameSiteNoneMode
 	}
 
 	if value == "" {
 		cookie.Expires = time.Unix(0, 0)
+		cookie.MaxAge = -1
 	}
 
 	return cookie