shindakun.net
+79
COMPLETED_ISSUES.md
+79
COMPLETED_ISSUES.md
···
8
8
9
9
## COMPLETED ISSUES
10
10
11
+
### 18. Environment Configuration โ
**COMPLETED (v1.3.1)**
12
+
**Status:** FIXED - See [VERSION.md](VERSION.md) for details
13
+
14
+
**Issue:** Limited configuration options via environment variables.
15
+
16
+
**Implementation:**
17
+
- โ
Added 4 configurable environment variables
18
+
- `SESSION_TIMEOUT_DAYS` - Cookie lifetime configuration (default: 30 days)
19
+
- `RATE_LIMIT_AUTH` - Auth endpoint rate limits (default: 5 req/s, burst 10)
20
+
- `RATE_LIMIT_API` - API endpoint rate limits (default: 10 req/s, burst 20)
21
+
- `SERVER_PORT` - HTTP server port (default: 8181)
22
+
23
+
- โ
Helper functions for environment variable parsing
24
+
- `getEnvInt()` - Parse integers with validation and defaults
25
+
- `getRateLimitConfig()` - Parse "requests/sec,burst" format
26
+
- `validateConfig()` - Range validation with warnings
27
+
28
+
- โ
Configuration validation features
29
+
- Automatic validation on startup
30
+
- Warning logs for unusual but valid values
31
+
- Graceful fallback to defaults for invalid values
32
+
- Clear error messages with expected format
33
+
34
+
- โ
Comprehensive documentation
35
+
- Environment variable reference with defaults and examples
36
+
- Configuration examples for dev, staging, production, high-traffic
37
+
- Deployment examples (Docker, Docker Compose, Kubernetes)
38
+
- Rate limiting guidelines by scenario
39
+
- Session timeout security recommendations
40
+
41
+
**Scope Decision:**
42
+
- **Minimal approach**: Only 4 most critical production configuration needs
43
+
- **NOT included** (kept hardcoded with good defaults):
44
+
- HTTP client timeout (30s is industry standard)
45
+
- Server read/write/idle timeouts (current values are best practice)
46
+
- Cookie security flags (auto-detected from HTTPS, should not be overridden)
47
+
- Logging level (already auto-configured based on environment)
48
+
49
+
**Testing:**
50
+
- โ
Default values work without any environment variables
51
+
- โ
Custom values applied correctly
52
+
- โ
Invalid values fall back to defaults with warnings
53
+
- โ
Unusual values trigger warnings but still apply
54
+
- โ
Server port configuration tested
55
+
- โ
Rate limit configuration tested (format: "req/sec,burst")
56
+
- โ
Session timeout calculation tested (days to seconds conversion)
57
+
58
+
**Features:**
59
+
- **12-Factor App**: Environment-based configuration
60
+
- **Container-Friendly**: Works with Docker, K8s, orchestration
61
+
- **Secure by Default**: All optional, sensible defaults maintained
62
+
- **Production-Ready**: Per-environment configuration without code changes
63
+
- **User-Friendly**: Clear validation messages, graceful degradation
64
+
65
+
**Architecture:**
66
+
- Example application only (no core library changes)
67
+
- Zero breaking changes
68
+
- Backward compatible (all env vars optional)
69
+
- Follows Go conventions (strconv, validation, error handling)
70
+
71
+
**Impact:**
72
+
- **Flexibility**: Production deployments can tune rate limits and timeouts
73
+
- **Simplicity**: Only 4 variables (minimal configuration burden)
74
+
- **Safety**: Validation prevents misconfiguration
75
+
- **Documentation**: Clear guidance for all deployment scenarios
76
+
77
+
**Files Modified:**
78
+
- `examples/web-demo/main.go` - Added env parsing and validation (~70 lines)
79
+
- `README.md` - Added environment variable documentation (~185 lines)
80
+
81
+
**Test Results:**
82
+
- โ
Defaults: Port 8181, session 30 days, auth 5/10, API 10/20
83
+
- โ
Custom: All values configurable and applied correctly
84
+
- โ
Invalid: Falls back to defaults, logs warnings
85
+
- โ
Unusual: Applies value, logs configuration warning
86
+
- โ
No regressions: Existing functionality unchanged
87
+
88
+
---
89
+
11
90
### 17. Audit Trail Support โ
**COMPLETED (v1.3.0)**
12
91
**Status:** FIXED - See [CHANGELOG.md](CHANGELOG.md) and [VERSION.md](VERSION.md) for details
13
92
+178
-2
README.md
+178
-2
README.md
···
1594
1594
1595
1595
## Environment Variables
1596
1596
1597
-
The example application supports:
1597
+
The example application (`examples/web-demo`) supports configuration via environment variables for deployment flexibility.
1598
+
1599
+
### Required
1600
+
1601
+
- **`BASE_URL`** - Base URL for OAuth callbacks
1602
+
- Example: `https://myapp.com` or `http://localhost:8181`
1603
+
- Default: `http://localhost:8181`
1604
+
1605
+
### Optional Configuration
1606
+
1607
+
All optional environment variables have sensible defaults. Only override if you need custom values for your deployment.
1608
+
1609
+
#### Session Management
1610
+
1611
+
- **`SESSION_TIMEOUT_DAYS`** - Session cookie lifetime in days
1612
+
- Default: `30`
1613
+
- Range: 1-365 days (warnings logged outside this range)
1614
+
- Example: `SESSION_TIMEOUT_DAYS=7` for 7-day sessions
1615
+
- Note: Shorter timeouts improve security, longer improves convenience
1616
+
1617
+
#### Rate Limiting
1618
+
1619
+
- **`RATE_LIMIT_AUTH`** - Auth endpoint rate limit as `requests/sec,burst`
1620
+
- Default: `5,10`
1621
+
- Format: `requests_per_second,burst_size`
1622
+
- Example: `RATE_LIMIT_AUTH=10,20` for stricter limits
1623
+
- Applies to: `/login`, `/callback` endpoints
1624
+
- Purpose: Prevent brute force attacks on authentication
1598
1625
1599
-
- `BASE_URL` - Base URL for OAuth client (default: `http://localhost:8181`)
1626
+
- **`RATE_LIMIT_API`** - API endpoint rate limit as `requests/sec,burst`
1627
+
- Default: `10,20`
1628
+
- Format: `requests_per_second,burst_size`
1629
+
- Example: `RATE_LIMIT_API=50,100` for higher throughput
1630
+
- Applies to: `/post`, `/create-record`, `/delete-record`, `/get-record` endpoints
1631
+
- Purpose: Prevent API abuse while allowing normal usage
1632
+
1633
+
#### Server Configuration
1634
+
1635
+
- **`SERVER_PORT`** - HTTP server port
1636
+
- Default: `8181`
1637
+
- Example: `SERVER_PORT=8080`
1638
+
- Useful for container orchestration or avoiding port conflicts
1639
+
1640
+
### Example Configurations
1641
+
1642
+
#### Development
1643
+
1644
+
```bash
1645
+
BASE_URL=http://localhost:8181
1646
+
SESSION_TIMEOUT_DAYS=7 # Shorter for testing
1647
+
RATE_LIMIT_AUTH=10,20 # More permissive
1648
+
RATE_LIMIT_API=50,100 # Higher for local testing
1649
+
SERVER_PORT=8181
1650
+
```
1651
+
1652
+
#### Staging
1653
+
1654
+
```bash
1655
+
BASE_URL=https://staging.myapp.com
1656
+
SESSION_TIMEOUT_DAYS=14 # Medium timeout
1657
+
RATE_LIMIT_AUTH=5,10 # Production-like
1658
+
RATE_LIMIT_API=20,40 # Moderate limits
1659
+
SERVER_PORT=8080
1660
+
```
1661
+
1662
+
#### Production
1663
+
1664
+
```bash
1665
+
BASE_URL=https://myapp.com
1666
+
SESSION_TIMEOUT_DAYS=30 # Standard (default)
1667
+
RATE_LIMIT_AUTH=5,10 # Strict (default)
1668
+
RATE_LIMIT_API=10,20 # Conservative (default)
1669
+
SERVER_PORT=8080
1670
+
```
1671
+
1672
+
#### High-Traffic Production
1673
+
1674
+
```bash
1675
+
BASE_URL=https://myapp.com
1676
+
SESSION_TIMEOUT_DAYS=30
1677
+
RATE_LIMIT_AUTH=10,30 # More permissive for high traffic
1678
+
RATE_LIMIT_API=100,200 # Much higher throughput
1679
+
SERVER_PORT=8080
1680
+
```
1681
+
1682
+
### Configuration Validation
1683
+
1684
+
The application automatically validates configuration on startup:
1685
+
1686
+
- **Invalid values**: Falls back to defaults and logs warnings
1687
+
- **Unusual values**: Logs warnings but applies the value
1688
+
- **Format errors**: Logs clear error messages with expected format
1689
+
1690
+
**Example validation output:**
1691
+
```
1692
+
โ ๏ธ Warning: Invalid SESSION_TIMEOUT_DAYS value 'abc', using default: 30
1693
+
โ ๏ธ Warning: Invalid RATE_LIMIT_AUTH format '5' (expected 'req/sec,burst'), using defaults: 5,10
1694
+
โ ๏ธ Configuration warnings:
1695
+
- SESSION_TIMEOUT_DAYS=400 is unusual (expected 1-365)
1696
+
- RATE_LIMIT_API requests/sec=5000.0 is unusual (expected 0.1-1000)
1697
+
```
1698
+
1699
+
### Running with Custom Configuration
1700
+
1701
+
**Command line:**
1702
+
```bash
1703
+
BASE_URL=https://myapp.com SESSION_TIMEOUT_DAYS=14 go run examples/web-demo/main.go
1704
+
```
1705
+
1706
+
**Environment file:**
1707
+
```bash
1708
+
# .env
1709
+
BASE_URL=https://myapp.com
1710
+
SESSION_TIMEOUT_DAYS=14
1711
+
RATE_LIMIT_AUTH=10,20
1712
+
RATE_LIMIT_API=50,100
1713
+
SERVER_PORT=8080
1714
+
```
1715
+
1716
+
```bash
1717
+
source .env
1718
+
go run examples/web-demo/main.go
1719
+
```
1720
+
1721
+
**Docker:**
1722
+
```dockerfile
1723
+
ENV BASE_URL=https://myapp.com
1724
+
ENV SESSION_TIMEOUT_DAYS=30
1725
+
ENV RATE_LIMIT_AUTH=5,10
1726
+
ENV RATE_LIMIT_API=20,40
1727
+
ENV SERVER_PORT=8080
1728
+
```
1729
+
1730
+
**Docker Compose:**
1731
+
```yaml
1732
+
services:
1733
+
app:
1734
+
environment:
1735
+
- BASE_URL=https://myapp.com
1736
+
- SESSION_TIMEOUT_DAYS=30
1737
+
- RATE_LIMIT_AUTH=5,10
1738
+
- RATE_LIMIT_API=20,40
1739
+
- SERVER_PORT=8080
1740
+
```
1741
+
1742
+
**Kubernetes:**
1743
+
```yaml
1744
+
env:
1745
+
- name: BASE_URL
1746
+
value: "https://myapp.com"
1747
+
- name: SESSION_TIMEOUT_DAYS
1748
+
value: "30"
1749
+
- name: RATE_LIMIT_AUTH
1750
+
value: "5,10"
1751
+
- name: RATE_LIMIT_API
1752
+
value: "20,40"
1753
+
- name: SERVER_PORT
1754
+
value: "8080"
1755
+
```
1756
+
1757
+
### Rate Limiting Guidelines
1758
+
1759
+
**Auth Endpoints (login/callback):**
1760
+
- **Conservative (default)**: 5 req/s, burst 10 - Prevents brute force, minimal false positives
1761
+
- **Strict**: 2 req/s, burst 5 - Maximum security, may affect legitimate retries
1762
+
- **Permissive**: 10 req/s, burst 20 - High-traffic sites with good monitoring
1763
+
1764
+
**API Endpoints (post/create/delete/get):**
1765
+
- **Conservative (default)**: 10 req/s, burst 20 - Prevents abuse, handles normal usage
1766
+
- **Low-traffic**: 5 req/s, burst 10 - Resource-constrained environments
1767
+
- **High-traffic**: 50-100 req/s, burst 100-200 - Large user base, active usage
1768
+
1769
+
### Session Timeout Guidelines
1770
+
1771
+
- **7 days**: High-security environments, sensitive data
1772
+
- **14 days**: Balanced security and convenience
1773
+
- **30 days (default)**: Standard web applications
1774
+
- **60-90 days**: Low-risk applications, convenience-focused
1775
+
- **365 days**: Not recommended (configure if absolutely required)
1600
1776
1601
1777
## Contributing
1602
1778
+1
-13
TODO.md
+1
-13
TODO.md
···
19
19
20
20
## Low Priority / Best Practices
21
21
22
-
### 18. Environment Configuration
23
-
**File:** [examples/web-demo/main.go:14-17](examples/web-demo/main.go#L14-L17)
24
-
25
-
**Issue:** Limited configuration options via environment variables.
26
-
27
-
**Recommendation:**
28
-
- Add configuration for:
29
-
- Session timeout
30
-
- Cookie security settings
31
-
- Rate limiting parameters
32
-
- Logging level
33
-
- Consider configuration file support
34
-
- Validate configuration on startup
22
+
*No low priority issues remain.*
35
23
36
24
---
37
25
+49
-1
VERSION.md
+49
-1
VERSION.md
···
9
9
- **Minor version (v1.x.0)**: New features, non-breaking enhancements
10
10
- **Patch version (v1.0.x)**: Bug fixes, documentation updates, internal improvements
11
11
12
-
## Current Version: v1.3.0
12
+
## Current Version: v1.3.1
13
+
14
+
### v1.3.1 (2025-10-29)
15
+
16
+
**Patch release** - Environment variable configuration for web-demo example
17
+
18
+
#### Enhancements
19
+
20
+
**Environment Variable Configuration:**
21
+
- Added 4 configurable environment variables for the example application
22
+
- `SESSION_TIMEOUT_DAYS` - Session cookie lifetime (default: 30 days)
23
+
- `RATE_LIMIT_AUTH` - Auth endpoint rate limits (default: 5,10)
24
+
- `RATE_LIMIT_API` - API endpoint rate limits (default: 10,20)
25
+
- `SERVER_PORT` - HTTP server port (default: 8181)
26
+
27
+
**Configuration Validation:**
28
+
- Automatic validation on startup with warnings for unusual values
29
+
- Graceful fallback to defaults for invalid values
30
+
- Clear error messages with expected format guidance
31
+
32
+
**Helper Functions:**
33
+
- `getEnvInt()` - Parse integer environment variables with defaults
34
+
- `getRateLimitConfig()` - Parse "requests/sec,burst" format
35
+
- `validateConfig()` - Validate configuration ranges and log warnings
36
+
37
+
**Documentation:**
38
+
- Comprehensive environment variable reference in README
39
+
- Example configurations for dev, staging, production, and high-traffic scenarios
40
+
- Docker, Docker Compose, and Kubernetes deployment examples
41
+
- Rate limiting and session timeout guidelines
42
+
43
+
#### Files Modified
44
+
- `examples/web-demo/main.go` - Added environment variable parsing and validation (~70 lines)
45
+
- `README.md` - Added "Environment Variables" section (~185 lines)
46
+
- `TODO.md` - Removed Issue #18
47
+
- `COMPLETED_ISSUES.md` - Added Issue #18 with implementation details
48
+
- `VERSION.md` - Added v1.3.1 release notes
49
+
50
+
#### Impact
51
+
- **No Library Changes**: Example application only (100% backward compatible)
52
+
- **Sensible Defaults**: All variables are optional, existing deployments unaffected
53
+
- **Production-Ready**: Enables per-environment configuration without code changes
54
+
- **12-Factor Compliant**: Environment-based configuration for containers/orchestration
55
+
56
+
#### Issue Resolution
57
+
- Resolves Issue #18: Environment Configuration
58
+
- Moved to COMPLETED_ISSUES.md
59
+
60
+
---
13
61
14
62
### v1.3.0 (2025-10-29)
15
63
+107
-30
examples/web-demo/main.go
+107
-30
examples/web-demo/main.go
···
6
6
"log"
7
7
"net/http"
8
8
"os"
9
+
"strconv"
9
10
"strings"
10
11
"time"
12
+
13
+
"golang.org/x/time/rate"
11
14
12
15
"github.com/shindakun/bskyoauth"
13
16
"github.com/shindakun/bskyoauth/lexicon"
14
17
)
15
18
19
+
// getEnvInt returns an integer environment variable or default value.
20
+
// Logs a warning if the value is set but invalid.
21
+
func getEnvInt(key string, defaultVal int) int {
22
+
if val := os.Getenv(key); val != "" {
23
+
if parsed, err := strconv.Atoi(val); err == nil {
24
+
return parsed
25
+
}
26
+
log.Printf("โ ๏ธ Warning: Invalid %s value '%s', using default: %d", key, val, defaultVal)
27
+
}
28
+
return defaultVal
29
+
}
30
+
31
+
// getRateLimitConfig parses "requests/sec,burst" format (e.g., "5,10").
32
+
// Returns default values if parsing fails or env var is not set.
33
+
func getRateLimitConfig(key string, defaultReqSec float64, defaultBurst int) (float64, int) {
34
+
if val := os.Getenv(key); val != "" {
35
+
parts := strings.Split(val, ",")
36
+
if len(parts) == 2 {
37
+
reqSec, err1 := strconv.ParseFloat(strings.TrimSpace(parts[0]), 64)
38
+
burst, err2 := strconv.Atoi(strings.TrimSpace(parts[1]))
39
+
if err1 == nil && err2 == nil && reqSec > 0 && burst > 0 {
40
+
return reqSec, burst
41
+
}
42
+
}
43
+
log.Printf("โ ๏ธ Warning: Invalid %s format '%s' (expected 'req/sec,burst'), using defaults: %.0f,%d", key, val, defaultReqSec, defaultBurst)
44
+
}
45
+
return defaultReqSec, defaultBurst
46
+
}
47
+
48
+
// validateConfig checks configuration values and logs warnings for unusual settings.
49
+
func validateConfig(sessionTimeoutDays int, authReqSec, apiReqSec float64, authBurst, apiBurst int) {
50
+
warnings := []string{}
51
+
52
+
if sessionTimeoutDays < 1 || sessionTimeoutDays > 365 {
53
+
warnings = append(warnings, fmt.Sprintf("SESSION_TIMEOUT_DAYS=%d is unusual (expected 1-365)", sessionTimeoutDays))
54
+
}
55
+
56
+
if authReqSec < 0.1 || authReqSec > 100 {
57
+
warnings = append(warnings, fmt.Sprintf("RATE_LIMIT_AUTH requests/sec=%.1f is unusual (expected 0.1-100)", authReqSec))
58
+
}
59
+
60
+
if apiReqSec < 0.1 || apiReqSec > 1000 {
61
+
warnings = append(warnings, fmt.Sprintf("RATE_LIMIT_API requests/sec=%.1f is unusual (expected 0.1-1000)", apiReqSec))
62
+
}
63
+
64
+
if authBurst < 1 || apiBurst < 1 {
65
+
warnings = append(warnings, "Rate limit burst values must be positive")
66
+
}
67
+
68
+
if len(warnings) > 0 {
69
+
log.Println("โ ๏ธ Configuration warnings:")
70
+
for _, w := range warnings {
71
+
log.Printf(" - %s", w)
72
+
}
73
+
}
74
+
}
75
+
16
76
func main() {
77
+
// Load configuration from environment variables
17
78
baseURL := os.Getenv("BASE_URL")
18
79
if baseURL == "" {
19
80
baseURL = "http://localhost:8181"
20
81
}
21
82
83
+
serverPort := os.Getenv("SERVER_PORT")
84
+
if serverPort == "" {
85
+
serverPort = "8181"
86
+
}
87
+
88
+
sessionTimeoutDays := getEnvInt("SESSION_TIMEOUT_DAYS", 30)
89
+
authReqSec, authBurst := getRateLimitConfig("RATE_LIMIT_AUTH", 5, 10)
90
+
apiReqSec, apiBurst := getRateLimitConfig("RATE_LIMIT_API", 10, 20)
91
+
92
+
// Validate configuration and log warnings for unusual values
93
+
validateConfig(sessionTimeoutDays, authReqSec, apiReqSec, authBurst, apiBurst)
94
+
22
95
// Configure structured logging based on environment
23
96
logger := bskyoauth.NewLoggerFromEnv(baseURL)
24
97
bskyoauth.SetLogger(logger)
···
43
116
})
44
117
45
118
// Create rate limiters for different endpoint types
46
-
// Login/callback: 5 requests per second, burst of 10 (prevent brute force)
47
-
authLimiter := bskyoauth.NewRateLimiter(5, 10)
119
+
// Auth endpoints (login/callback): Prevent brute force attacks
120
+
authLimiter := bskyoauth.NewRateLimiter(rate.Limit(authReqSec), authBurst)
48
121
authLimiter.StartCleanup(5*time.Minute, 10*time.Minute)
49
122
50
-
// API operations: 10 requests per second, burst of 20 (normal usage)
51
-
apiLimiter := bskyoauth.NewRateLimiter(10, 20)
123
+
// API endpoints: Normal usage rate limiting
124
+
apiLimiter := bskyoauth.NewRateLimiter(rate.Limit(apiReqSec), apiBurst)
52
125
apiLimiter.StartCleanup(5*time.Minute, 10*time.Minute)
53
126
54
127
// Set up HTTP handlers with rate limiting
···
56
129
mux.HandleFunc("/", homeHandler(client))
57
130
mux.HandleFunc("/client-metadata.json", client.ClientMetadataHandler())
58
131
mux.HandleFunc("/login", authLimiter.Middleware(loginHandler(client)))
59
-
mux.HandleFunc("/callback", authLimiter.Middleware(client.CallbackHandler(callbackSuccessHandler)))
132
+
mux.HandleFunc("/callback", authLimiter.Middleware(client.CallbackHandler(callbackSuccessHandler(sessionTimeoutDays))))
60
133
mux.HandleFunc("/post", apiLimiter.Middleware(postHandler(client)))
61
134
mux.HandleFunc("/create-record", apiLimiter.Middleware(createRecordHandler(client)))
62
135
mux.HandleFunc("/delete-record", apiLimiter.Middleware(deleteRecordHandler(client)))
···
66
139
// Apply security headers middleware
67
140
handler := bskyoauth.SecurityHeadersMiddleware()(mux)
68
141
69
-
log.Println("Server starting on :8181")
142
+
// Display configuration
143
+
log.Printf("Server starting on :%s", serverPort)
70
144
log.Println("Base URL:", baseURL)
71
145
if strings.HasPrefix(baseURL, "https://") {
72
146
log.Println("โ Using HTTPS - secure configuration")
···
80
154
}
81
155
82
156
log.Println("โ Rate limiting enabled:")
83
-
log.Println(" - Auth endpoints: 5 req/s (burst: 10)")
84
-
log.Println(" - API endpoints: 10 req/s (burst: 20)")
157
+
log.Printf(" - Auth endpoints: %.0f req/s (burst: %d)", authReqSec, authBurst)
158
+
log.Printf(" - API endpoints: %.0f req/s (burst: %d)", apiReqSec, apiBurst)
159
+
log.Printf("โ Session timeout: %d days", sessionTimeoutDays)
85
160
log.Println("โ Security headers enabled (auto-detects localhost)")
86
161
log.Println("โ HTTP timeouts configured:")
87
162
log.Println(" - Client requests: 30s total timeout")
···
89
164
90
165
// Configure HTTP server with timeouts to prevent resource exhaustion attacks
91
166
server := &http.Server{
92
-
Addr: ":8181",
167
+
Addr: ":" + serverPort,
93
168
Handler: handler,
94
169
ReadTimeout: 15 * time.Second, // Time to read request headers and body
95
170
WriteTimeout: 15 * time.Second, // Time to write response
···
306
381
}
307
382
}
308
383
309
-
func callbackSuccessHandler(w http.ResponseWriter, r *http.Request, sessionID string) {
310
-
// Add request ID for correlation
311
-
requestID := bskyoauth.GenerateRequestID()
312
-
log.Printf("[%s] OAuth callback successful, session: %s", requestID, sessionID)
384
+
func callbackSuccessHandler(sessionTimeoutDays int) func(http.ResponseWriter, *http.Request, string) {
385
+
return func(w http.ResponseWriter, r *http.Request, sessionID string) {
386
+
// Add request ID for correlation
387
+
requestID := bskyoauth.GenerateRequestID()
388
+
log.Printf("[%s] OAuth callback successful, session: %s", requestID, sessionID)
313
389
314
-
// Determine if we're running in secure mode (HTTPS)
315
-
baseURL := os.Getenv("BASE_URL")
316
-
if baseURL == "" {
317
-
baseURL = "http://localhost:8181"
318
-
}
319
-
isSecure := strings.HasPrefix(baseURL, "https://")
390
+
// Determine if we're running in secure mode (HTTPS)
391
+
baseURL := os.Getenv("BASE_URL")
392
+
if baseURL == "" {
393
+
baseURL = "http://localhost:8181"
394
+
}
395
+
isSecure := strings.HasPrefix(baseURL, "https://")
320
396
321
-
// Set session cookie with security enhancements
322
-
http.SetCookie(w, &http.Cookie{
323
-
Name: "session_id",
324
-
Value: sessionID,
325
-
Path: "/",
326
-
HttpOnly: true, // Prevents JavaScript access
327
-
Secure: isSecure, // HTTPS only in production
328
-
SameSite: http.SameSiteLaxMode, // CSRF protection
329
-
MaxAge: 2592000, // 30 days (configurable)
330
-
})
397
+
// Set session cookie with security enhancements
398
+
http.SetCookie(w, &http.Cookie{
399
+
Name: "session_id",
400
+
Value: sessionID,
401
+
Path: "/",
402
+
HttpOnly: true, // Prevents JavaScript access
403
+
Secure: isSecure, // HTTPS only in production
404
+
SameSite: http.SameSiteLaxMode, // CSRF protection
405
+
MaxAge: sessionTimeoutDays * 86400, // Convert days to seconds
406
+
})
331
407
332
-
http.Redirect(w, r, "/", http.StatusFound)
408
+
http.Redirect(w, r, "/", http.StatusFound)
409
+
}
333
410
}
334
411
335
412
func postHandler(client *bskyoauth.Client) http.HandlerFunc {