4 changed files with 10 additions and 40 deletions
--- a/auth-notes.org
+++ b/auth-notes.org
@ -184,7 +184,7 @@ now works
 because front-end is setting up js 'new PocketBase' with 127.0.0.1 connection
 *** adding a custom flag:
 https://github.com/pocketbase/pocketbase/discussions/1900
-** DONE change some additional config to option :
+** TODO change some additional config to option :
      ${optionalString config.proxyWebsockets ''
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
@ -192,29 +192,13 @@ https://github.com/pocketbase/pocketbase/discussions/1900
      ''}
 ( also in planning poker repo )

-https://github.com/NixOS/nixpkgs/blob/nixos-23.05/nixos/modules/services/web-servers/nginx/default.nix#L428


 ** TODO add docker image from nix
 *** CANCELLED add cli for port and host
 ** TODO add readme and comments
-** DONE configure tls / ssl / https on franzk deployment
-https://nixos.org/manual/nixos/stable/#module-security-acme-nginx
-( and also same here https://nixos.wiki/wiki/Nginx )
-
+** TODO configure tls / ssl / https on franzk deployment
 can it be configured on render.com?
-omg
-line 112 & 113 in project config:
-http://git.sunshine.industries/efim/go-ssr-pocketbase-oauth-attempt/commit/875de35177462f21732e3ba108a94d77a543da05
-
-and this in my server config:
-https://github.com/efim/dotfiles/commit/b3695148082d8c9850a781aaa7a88920bdb1fa7f
-
-this is all that's needed to enable tls
-mind blown
-** DONE somehow set cookie to httpOnly & secure
-with ability to disable for development session
-
 ** TODO maybe add middleware so that 401 would be a page, and not json
 ** TODO get icons for the auth providers. surely they are accessible from the pocketbase itself?
 http://localhost:8090/_/images/oauth2/apple.svg
--- a/flake.nix
+++ b/flake.nix
@ -114,9 +114,10 @@
                  locations."/" = {
                    proxyPass = "http://127.0.0.1:${toString cfg.port}";
                    # taken from https://pocketbase.io/docs/going-to-production/
-                    proxyWebsockets = true;
                    extraConfig = ''
                      # check http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive
+                      proxy_set_header Connection ''';
+                      proxy_http_version 1.1;
                      proxy_read_timeout 360s;

                      proxy_set_header Host $host;
--- a/main.go
+++ b/main.go
@ -1,21 +1,16 @@
 package main

 import (
-	"log"
-	"strings"
+    "log"

-	"github.com/pocketbase/pocketbase"
+    "github.com/pocketbase/pocketbase"
 	"sunshine.industries/auth-pocketbase-attempt/middleware"
 	"sunshine.industries/auth-pocketbase-attempt/pages"
 )

 func main() {
 	app := pocketbase.New()
-
-	servedName := app.Settings().Meta.AppUrl
-	isTlsEnabled := strings.HasPrefix(servedName, "https://")
-
-	middleware.AddCookieSessionMiddleware(app, isTlsEnabled)
+	middleware.AddCookieSessionMiddleware(app)
 	pages.AddPageRoutes(app)

    if err := app.Start(); err != nil {
--- a/middleware/auth.go
+++ b/middleware/auth.go
@ -1,9 +1,7 @@
 package middleware

 import (
-	"log"
 	"net/http"
-
 	"github.com/labstack/echo/v5"
 	"github.com/pocketbase/pocketbase"
 	"github.com/pocketbase/pocketbase/apis"
@ -15,9 +13,7 @@ import (

 const AuthCookieName = "Auth"

-func AddCookieSessionMiddleware(app *pocketbase.PocketBase, isTlsEnabled bool) {
-	log.Println("Warning: starting server with cookie Secure = false!")
-
+func AddCookieSessionMiddleware(app *pocketbase.PocketBase) {
 	app.OnBeforeServe().Add(func(e *core.ServeEvent) error {
 		e.Router.Use(loadAuthContextFromCookie(app))
 		return nil
@ -29,8 +25,6 @@ func AddCookieSessionMiddleware(app *pocketbase.PocketBase, isTlsEnabled bool) {
 			Name: AuthCookieName,
 			Value: e.Token,
 			Path: "/",
-			Secure: isTlsEnabled,
-			HttpOnly: true,
 		})
 		e.HttpContext.SetCookie(&http.Cookie{
 			Name: "username",
@ -43,12 +37,10 @@ func AddCookieSessionMiddleware(app *pocketbase.PocketBase, isTlsEnabled bool) {
 			Name: AuthCookieName,
 			Value: e.Token,
 			Path: "/",
-			Secure: isTlsEnabled,
-			HttpOnly: true,
 		})
        return nil
    })
-	app.OnBeforeServe().Add(getLogoutRoute(app, isTlsEnabled))
+	app.OnBeforeServe().Add(getLogoutRoute(app))
 }

 func loadAuthContextFromCookie(app core.App) echo.MiddlewareFunc {
@ -92,7 +84,7 @@ func loadAuthContextFromCookie(app core.App) echo.MiddlewareFunc {
 }

 // render and return login page with configured oauth providers
-func getLogoutRoute(app *pocketbase.PocketBase, isTlsEnabled bool)  func(*core.ServeEvent) error {
+func getLogoutRoute(app *pocketbase.PocketBase)  func(*core.ServeEvent) error {
 	return func (e *core.ServeEvent) error {
 		e.Router.GET("/logout", func(c echo.Context) error {
 			c.SetCookie(&http.Cookie{
@ -100,8 +92,6 @@ func getLogoutRoute(app *pocketbase.PocketBase, isTlsEnabled bool)  func(*core.S
 				Value: "",
 				Path: "/",
 				MaxAge: -1,
-				Secure: isTlsEnabled,
-				HttpOnly: true,
 			})
 			c.Response().Header().Add("HX-Trigger", "auth-change-event")
 			return c.JSON(http.StatusOK, map[string]string{"message": "session cookie removed"})