From bb73d4831c71830c10b0cebc69301c3091e9138b Mon Sep 17 00:00:00 2001
From: Jan-Lukas Else <mail@jlelse.de>
Date: Sat, 20 Feb 2021 22:45:38 +0100
Subject: [PATCH] Fix cookies for auth and captcha

---
 authentication.go | 4 ++--
 captcha.go        | 4 ++--
 config.go         | 4 ++++
 3 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/authentication.go b/authentication.go
index 29619b9..7a5f7f8 100644
--- a/authentication.go
+++ b/authentication.go
@@ -121,8 +121,8 @@ func createTokenCookie(username string) (*http.Cookie, error) {
 		Name:     "token",
 		Value:    tokenString,
 		Expires:  expiration,
-		Secure:   true,
+		Secure:   httpsConfigured(),
 		HttpOnly: true,
-		SameSite: http.SameSiteStrictMode,
+		SameSite: http.SameSiteLaxMode,
 	}, nil
 }
diff --git a/captcha.go b/captcha.go
index 9c75a74..f0fc965 100644
--- a/captcha.go
+++ b/captcha.go
@@ -105,8 +105,8 @@ func createCaptchaCookie() (*http.Cookie, error) {
 		Name:     "captcha",
 		Value:    tokenString,
 		Expires:  expiration,
-		Secure:   true,
+		Secure:   httpsConfigured(),
 		HttpOnly: true,
-		SameSite: http.SameSiteStrictMode,
+		SameSite: http.SameSiteLaxMode,
 	}, nil
 }
diff --git a/config.go b/config.go
index c8084c8..759e89d 100644
--- a/config.go
+++ b/config.go
@@ -260,3 +260,7 @@ func initConfig() error {
 	}
 	return nil
 }
+
+func httpsConfigured() bool {
+	return appConfig.Server.PublicHTTPS || appConfig.Server.SecurityHeaders || strings.HasPrefix(appConfig.Server.PublicAddress, "https")
+}