CORS stuff

config.sample.yaml

@@ -11,6 +11,6 @@ auth:
   domain: example.com
   # this allows the JWT cookie to be served over plain HTTP only for these Host: header values
   allowInsecureFor:
-    "localhost:3050": true
+    "localhost": true
 listen: ':3050'
 public: true

pkg/gordio/auth/jwt.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"net/http"
 	"strconv"
+	"strings"
 	"time"
 
 	"golang.org/x/crypto/bcrypt"
@@ -102,7 +103,8 @@ func (a *authenticator) PrivateRoutes(r chi.Router) {
 }
 
 func (a *authenticator) allowInsecureCookie(r *http.Request) bool {
-	v, has := a.cfg.AllowInsecure[r.Host]
+	host := strings.Split(r.Host, ":")
+	v, has := a.cfg.AllowInsecure[host[0]]
 	return has && v
 }
 
@@ -130,7 +132,13 @@ func (a *authenticator) routeRefresh(w http.ResponseWriter, r *http.Request) {
 		Name:     "jwt",
 		Value:    tok,
 		HttpOnly: true,
-		Secure:   !a.allowInsecureCookie(r),
+		Secure:   true,
+	}
+
+	if a.allowInsecureCookie(r) {
+		cookie.Secure = false
+		cookie.SameSite = http.SameSiteNoneMode
+		log.Debug().Msg("same site none")
 	}
 
 	if cookie.Secure {
@@ -168,12 +176,16 @@ func (a *authenticator) routeAuth(w http.ResponseWriter, r *http.Request) {
 		Name:     "jwt",
 		Value:    tok,
 		HttpOnly: true,
-		Secure:   !a.allowInsecureCookie(r),
+		Secure:   true,
 	}
 
-	if cookie.Secure {
+	if a.allowInsecureCookie(r) {
+		cookie.Secure = false
+		cookie.SameSite = http.SameSiteNoneMode
+	} else {
 		cookie.Domain = a.cfg.Domain
 	}
+
 	http.SetCookie(w, cookie)
 
 	jr := struct {

pkg/gordio/server/server.go

@@ -54,7 +54,7 @@ func New(cfg *config.Config) (*Server, error) {
 		AllowedMethods:   []string{"GET", "POST", "PUT", "DELETE", "OPTIONS"},
 		AllowedHeaders:   []string{"Accept", "Authorization", "Content-Type", "X-CSRF-Token", "Upgrade"},
 		ExposedHeaders:   []string{"Link"},
-		AllowCredentials: false,
+		AllowCredentials: true,
 		MaxAge:           300, // Maximum value not ignored by any of major browsers
 	}))
 	srv.setupRoutes()