Set Secure flag on session cookie for HTTPS

Fixes #9 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-17 15:50:18 -08:00 · 2026-02-17 15:50:18 -08:00 · e6cd175c92
parent 29cbe1a52b
commit e6cd175c92
2 changed files with 4 additions and 2 deletions
--- a/cmd/server/main.go
+++ b/cmd/server/main.go
@ -5,6 +5,7 @@ import (
 	"net/http"
 	"os"
 	"os/signal"
+	"strings"
 	"syscall"
 	"time"

@ -54,7 +55,7 @@ func main() {
 		log.Info().Str("bot_login", forgejoClient.BotLogin).Msg("forgejo bot login initialized")
 	}

-	sessionStore := auth.NewPGStore(db, []byte(cfg.SessionSecret))
+	sessionStore := auth.NewPGStore(db, strings.HasPrefix(cfg.BaseURL, "https"), []byte(cfg.SessionSecret))
 	authService := auth.NewService(db, sessionStore, emailClient)

 	ctx, cancel := context.WithCancel(context.Background())
--- a/internal/auth/store.go
+++ b/internal/auth/store.go
@ -28,7 +28,7 @@ type PGStore struct {
 	options *sessions.Options
 }

-func NewPGStore(db *gorm.DB, keyPairs ...[]byte) *PGStore {
+func NewPGStore(db *gorm.DB, secure bool, keyPairs ...[]byte) *PGStore {
 	return &PGStore{
 		db:     db,
 		codecs: securecookie.CodecsFromPairs(keyPairs...),
@ -36,6 +36,7 @@ func NewPGStore(db *gorm.DB, keyPairs ...[]byte) *PGStore {
 			Path:     "/",
 			MaxAge:   sessionMaxAge,
 			HttpOnly: true,
+			Secure:   secure,
 			SameSite: http.SameSiteLaxMode,
 		},
 	}