fix: setting Secure behind nginx

bug was due to having explicit 'serve --http=address' when running behind nginx on NixOS server So either a more complicated check was required, or just setting Secure=true unconditionally. This seems to be a better way, because Firefox already allows secure cookies beng sent and received from localhost for dev purposes, and Chromium does too
2023-10-09 04:50:33 +00:00 · 2023-10-09 04:50:33 +00:00 · 591aea717b
parent 2a3d00839f
commit 591aea717b
3 changed files with 35 additions and 18 deletions
--- a/auth-notes.org
+++ b/auth-notes.org
@ -214,6 +214,31 @@ this is all that's needed to enable tls
 mind blown
 ** DONE somehow set cookie to httpOnly & secure
 with ability to disable for development session
 *** a complication
 since i'm under the nginx, i can't just match on the serving address :
 #+begin_src
 [efim@franzk:~]$ systemctl status pb-auth-example-app.service
 ● pb-auth-example-app.service - Exercise app auth-pocketbase-attempt
     Loaded: loaded (/etc/systemd/system/pb-auth-example-app.service; enabled; preset: enabled)
     Active: active (running) since Mon 2023-10-09 04:29:20 UTC; 1min 17s ago
   Main PID: 411857 (auth-pocketbase)
      Tasks: 13 (limit: 629145)
     Memory: 28.3M
        CPU: 148ms
     CGroup: /system.slice/pb-auth-example-app.service
             └─411857 /nix/store/czq95bjhwszasncp8f04d9yn4m0xf4kw-auth-pocketbase-attempt-0.0.1/bin/auth-pocketbase-attempt serve --http 127.0.0.1:45001 --dir=/home/pb-auth-example-app-user
 Oct 09 04:29:20 franzk systemd[1]: Started Exercise app auth-pocketbase-attempt.
 Oct 09 04:29:20 franzk auth-pocketbase-attempt[411857]: 2023/10/09 04:29:20 Warning: starting server with cookie Secure = false!
 Oct 09 04:29:20 franzk auth-pocketbase-attempt[411857]: 2023/10/09 04:29:20 Server started at http://127.0.0.1:45001
 Oct 09 04:29:20 franzk auth-pocketbase-attempt[411857]: ├─ REST API: http://127.0.0.1:45001/api/
 Oct 09 04:29:20 franzk auth-pocketbase-attempt[411857]: └─ Admin UI: http://127.0.0.1:45001/_/
 #+end_src
 *** so, custom arg is required, hello
 https://github.com/pocketbase/pocketbase/discussions/1900
 *** holy cow, Firefox and later Chrome will accept Secure cookie on localhost
 https://stackoverflow.com/questions/62307431/firefox-sends-secure-cookies-to-localhost
 ** TODO maybe add middleware so that 401 would be a page, and not json
 ** TODO get icons for the auth providers. surely they are accessible from the pocketbase itself?
--- a/main.go
+++ b/main.go
@ -2,8 +2,6 @@ package main
 import (
 	"log"
 	"strings"
 	"github.com/pocketbase/pocketbase"
 	"sunshine.industries/auth-pocketbase-attempt/middleware"
 	"sunshine.industries/auth-pocketbase-attempt/pages"
@ -12,13 +10,10 @@ import (
 func main() {
 	app := pocketbase.New()
-	servedName := app.Settings().Meta.AppUrl
+	middleware.AddCookieSessionMiddleware(app)
 	isTlsEnabled := strings.HasPrefix(servedName, "https://")
 	middleware.AddCookieSessionMiddleware(app, isTlsEnabled)
 	pages.AddPageRoutes(app)
-    if err := app.Start(); err != nil {
+	if err := app.Start(); err != nil {
-        log.Fatal(err)
+		log.Fatal(err)
-    }
+	}
 }
--- a/middleware/auth.go
+++ b/middleware/auth.go
@ -1,7 +1,6 @@
 package middleware
 import (
 	"log"
 	"net/http"
 	"github.com/labstack/echo/v5"
@ -15,9 +14,7 @@ import (
 const AuthCookieName = "Auth"
-func AddCookieSessionMiddleware(app *pocketbase.PocketBase, isTlsEnabled bool) {
+func AddCookieSessionMiddleware(app *pocketbase.PocketBase) {
 	log.Println("Warning: starting server with cookie Secure = false!")
 	app.OnBeforeServe().Add(func(e *core.ServeEvent) error {
 		e.Router.Use(loadAuthContextFromCookie(app))
 		return nil
@ -29,7 +26,7 @@ func AddCookieSessionMiddleware(app *pocketbase.PocketBase, isTlsEnabled bool) {
 			Name: AuthCookieName,
 			Value: e.Token,
 			Path: "/",
-			Secure: isTlsEnabled,
+			Secure: true,
 			HttpOnly: true,
 		})
 		e.HttpContext.SetCookie(&http.Cookie{
@ -43,12 +40,12 @@ func AddCookieSessionMiddleware(app *pocketbase.PocketBase, isTlsEnabled bool) {
 			Name: AuthCookieName,
 			Value: e.Token,
 			Path: "/",
-			Secure: isTlsEnabled,
+			Secure: true,
 			HttpOnly: true,
 		})
        return nil
    })
-	app.OnBeforeServe().Add(getLogoutRoute(app, isTlsEnabled))
+	app.OnBeforeServe().Add(getLogoutRoute(app))
 }
 func loadAuthContextFromCookie(app core.App) echo.MiddlewareFunc {
@ -92,7 +89,7 @@ func loadAuthContextFromCookie(app core.App) echo.MiddlewareFunc {
 }
 // render and return login page with configured oauth providers
-func getLogoutRoute(app *pocketbase.PocketBase, isTlsEnabled bool)  func(*core.ServeEvent) error {
+func getLogoutRoute(app *pocketbase.PocketBase)  func(*core.ServeEvent) error {
 	return func (e *core.ServeEvent) error {
 		e.Router.GET("/logout", func(c echo.Context) error {
 			c.SetCookie(&http.Cookie{
@ -100,7 +97,7 @@ func getLogoutRoute(app *pocketbase.PocketBase, isTlsEnabled bool)  func(*core.S
 				Value: "",
 				Path: "/",
 				MaxAge: -1,
-				Secure: isTlsEnabled,
+				Secure: true,
 				HttpOnly: true,
 			})
 			c.Response().Header().Add("HX-Trigger", "auth-change-event")