fix(GIST-39): set cookie for production (#13)

Courtcircuits · web-flow · commit aac75ca798b1 · 2024-09-02T17:00:07.000+02:00
* fix(GIST-39): set cookie in production

* docs(GIST-39): updated readme
diff --git a/README.md b/README.md
@@ -54,6 +54,7 @@ MAIL_PASSWORD="<REDACTED>"
 SMTP_PORT="<REDACTED>"
 SMTP_HOST="<REDACTED>"
 APP_KEY="<REDACTED>"
+ENV="development"
 ```
 
 4. Run the server in development mode
@@ -85,6 +86,7 @@ All the configuration is done through env variables :
 - `SMTP_PORT` : your smtp port
 - `SMTP_HOST` : your smtp host
 - `APP_KEY` : your app key, which is a random string that is used to encrypt access tokens
+- `ENV`: the environment in which the app is running (development, production)
 
 ## Tests
 
diff --git a/user/auth_controller.go b/user/auth_controller.go
@@ -33,7 +33,13 @@ func (a *AuthControllerImpl) Callback() fiber.Handler {
 		}
 		token_cookie := new(fiber.Cookie)
 		token_cookie.Name = "gists.access_token"
-		token_cookie.HTTPOnly = false
+		token_cookie.HTTPOnly = true
+		if utils.Get("ENV") == "development" {
+			token_cookie.Secure = false
+		} else {
+			token_cookie.Domain = ".gists.app" // hardcoded
+			token_cookie.Secure = true
+		}
 		token_cookie.Value = token
 		c.Cookie(token_cookie)
 		return c.Redirect(utils.Get("FRONTEND_URL"))
@@ -82,6 +88,13 @@ func (a *AuthControllerImpl) VerifyAuthToken() fiber.Handler {
 		token_cookie.Name = "gists.access_token"
 		token_cookie.HTTPOnly = true
 		token_cookie.Value = jwt_token
+
+		if utils.Get("ENV") == "development" {
+			token_cookie.Secure = false
+		} else {
+			token_cookie.Domain = ".gists.app" // hardcoded
+			token_cookie.Secure = true
+		}
 		c.Cookie(token_cookie)
 		return c.Status(200).JSON(fiber.Map{"message": "You are now logged in"})
 	}
