fix: setting Secure behind nginx

bug was due to having explicit 'serve --http=address' when running behind nginx on NixOS server So either a more complicated check was required, or just setting Secure=true unconditionally. This seems to be a better way, because Firefox already allows secure cookies beng sent and received from localhost for dev purposes, and Chromium does too
2023-10-09 04:50:33 +00:00 · 2023-10-09 04:50:33 +00:00 · a367ed9a34
parent 2a3d00839f
commit a367ed9a34
3 changed files with 37 additions and 18 deletions
--- a/auth-notes.org
+++ b/auth-notes.org
@ -214,6 +214,33 @@ this is all that's needed to enable tls
 mind blown
 ** DONE somehow set cookie to httpOnly & secure
 with ability to disable for development session
+*** a complication
+since i'm under the nginx, i can't just match on the serving address :
+#+begin_src
+[efim@franzk:~]$ systemctl status pb-auth-example-app.service
+● pb-auth-example-app.service - Exercise app auth-pocketbase-attempt
+     Loaded: loaded (/etc/systemd/system/pb-auth-example-app.service; enabled; preset: enabled)
+     Active: active (running) since Mon 2023-10-09 04:29:20 UTC; 1min 17s ago
+   Main PID: 411857 (auth-pocketbase)
+      Tasks: 13 (limit: 629145)
+     Memory: 28.3M
+        CPU: 148ms
+     CGroup: /system.slice/pb-auth-example-app.service
+             └─411857 /nix/store/czq95bjhwszasncp8f04d9yn4m0xf4kw-auth-pocketbase-attempt-0.0.1/bin/auth-pocketbase-attempt serve --http 127.0.0.1:45001 --dir=/home/pb-auth-example-app-user
+
+Oct 09 04:29:20 franzk systemd[1]: Started Exercise app auth-pocketbase-attempt.
+Oct 09 04:29:20 franzk auth-pocketbase-attempt[411857]: 2023/10/09 04:29:20 Warning: starting server with cookie Secure = false!
+Oct 09 04:29:20 franzk auth-pocketbase-attempt[411857]: 2023/10/09 04:29:20 Server started at http://127.0.0.1:45001
+Oct 09 04:29:20 franzk auth-pocketbase-attempt[411857]: ├─ REST API: http://127.0.0.1:45001/api/
+Oct 09 04:29:20 franzk auth-pocketbase-attempt[411857]: └─ Admin UI: http://127.0.0.1:45001/_/
+#+end_src
+*** so, custom arg is required, hello
+https://github.com/pocketbase/pocketbase/discussions/1900
+*** holy cow, Firefox and later Chrome will accept Secure cookie on localhost
+https://stackoverflow.com/questions/62307431/firefox-sends-secure-cookies-to-localhost
+
+see: except on localhost : https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie
+

 ** TODO maybe add middleware so that 401 would be a page, and not json
 ** TODO get icons for the auth providers. surely they are accessible from the pocketbase itself?
--- a/main.go
+++ b/main.go
@ -2,8 +2,6 @@ package main

 import (
 	"log"
-	"strings"
-
 	"github.com/pocketbase/pocketbase"
 	"sunshine.industries/auth-pocketbase-attempt/middleware"
 	"sunshine.industries/auth-pocketbase-attempt/pages"
@ -12,13 +10,10 @@ import (
 func main() {
 	app := pocketbase.New()

-	servedName := app.Settings().Meta.AppUrl
-	isTlsEnabled := strings.HasPrefix(servedName, "https://")
-
-	middleware.AddCookieSessionMiddleware(app, isTlsEnabled)
+	middleware.AddCookieSessionMiddleware(app)
 	pages.AddPageRoutes(app)

-    if err := app.Start(); err != nil {
-        log.Fatal(err)
-    }
+	if err := app.Start(); err != nil {
+		log.Fatal(err)
+	}
 }
--- a/middleware/auth.go
+++ b/middleware/auth.go
@ -1,7 +1,6 @@
 package middleware

 import (
-	"log"
 	"net/http"

 	"github.com/labstack/echo/v5"
@ -15,9 +14,7 @@ import (

 const AuthCookieName = "Auth"

-func AddCookieSessionMiddleware(app *pocketbase.PocketBase, isTlsEnabled bool) {
-	log.Println("Warning: starting server with cookie Secure = false!")
-
+func AddCookieSessionMiddleware(app *pocketbase.PocketBase) {
 	app.OnBeforeServe().Add(func(e *core.ServeEvent) error {
 		e.Router.Use(loadAuthContextFromCookie(app))
 		return nil
@ -29,7 +26,7 @@ func AddCookieSessionMiddleware(app *pocketbase.PocketBase, isTlsEnabled bool) {
 			Name: AuthCookieName,
 			Value: e.Token,
 			Path: "/",
-			Secure: isTlsEnabled,
+			Secure: true,
 			HttpOnly: true,
 		})
 		e.HttpContext.SetCookie(&http.Cookie{
@ -43,12 +40,12 @@ func AddCookieSessionMiddleware(app *pocketbase.PocketBase, isTlsEnabled bool) {
 			Name: AuthCookieName,
 			Value: e.Token,
 			Path: "/",
-			Secure: isTlsEnabled,
+			Secure: true,
 			HttpOnly: true,
 		})
        return nil
    })
-	app.OnBeforeServe().Add(getLogoutRoute(app, isTlsEnabled))
+	app.OnBeforeServe().Add(getLogoutRoute(app))
 }

 func loadAuthContextFromCookie(app core.App) echo.MiddlewareFunc {
@ -92,7 +89,7 @@ func loadAuthContextFromCookie(app core.App) echo.MiddlewareFunc {
 }

 // render and return login page with configured oauth providers
-func getLogoutRoute(app *pocketbase.PocketBase, isTlsEnabled bool)  func(*core.ServeEvent) error {
+func getLogoutRoute(app *pocketbase.PocketBase)  func(*core.ServeEvent) error {
 	return func (e *core.ServeEvent) error {
 		e.Router.GET("/logout", func(c echo.Context) error {
 			c.SetCookie(&http.Cookie{
@ -100,7 +97,7 @@ func getLogoutRoute(app *pocketbase.PocketBase, isTlsEnabled bool)  func(*core.S
 				Value: "",
 				Path: "/",
 				MaxAge: -1,
-				Secure: isTlsEnabled,
+				Secure: true,
 				HttpOnly: true,
 			})
 			c.Response().Header().Add("HX-Trigger", "auth-change-event")