Monorepo for Tangled tangled.org

appview/oauth: fix session cookie flags for dev mode #1119

open opened by

nolith.dev 1 week ago targeting master from nolith.dev/tangled-core: ac/push-qtnvwvpuwwsn

gorilla/sessions defaults to Secure=true and SameSite=None, which prevents the session cookie from being sent over plain HTTP. This caused immediate logout after a successful OAuth callback in the dev environment (TANGLED_DEV=true).

The accounts and auth-return cookies already override these defaults with Secure=!Dev and SameSite=Lax, but the main session cookie (appview-session-v2) was missing the same treatment. Apply consistent cookie options at the store level so all sessions inherit them.

Signed-off-by: Alessio Caiazza code.git@caiazza.info AI-assisted: GitLab Duo Agentic Chat (Claude Opus 4.6)

Labels

None yet.

assignee

None yet.

Participants 2

AT URI

at://did:plc:nzep3slobztdph3kxswzbing/sh.tangled.repo.pull/3mghng5n36322

1 changed file

Diff round #0

expand all

appview

oauth

oauth.go

appview/oauth/oauth.go

··· 75 75 } 76 76 77 77 sessStore := sessions.NewCookieStore([]byte(config.Core.CookieSecret)) 78 + sessStore.Options.HttpOnly = true 79 + sessStore.Options.Secure = !config.Core.Dev 80 + sessStore.Options.SameSite = http.SameSiteLaxMode 78 81 79 82 clientApp := oauth.NewClientApp(&oauthConfig, authStore) 80 83 clientApp.Dir = res.Directory()

History

1 round 1 comment

nolith.dev submitted #0 10d

1 commit

expand

f5cfe2eb

appview/oauth: fix session cookie flags for dev mode

no conflicts, ready to merge

expand 1 comment

oppi.li 22hrs

why do we need this? oauth on dev mode works fine for me. Secure should default to false.