From 44663962598cb38e8a6a673757d6ac38aa294cb7 Mon Sep 17 00:00:00 2001 From: Ethan Girouard Date: Sun, 28 Jun 2026 13:48:31 -0400 Subject: [PATCH] Enable config option for secure auth cookies Enable by default in release mode --- src/server/auth.rs | 4 ++-- src/server/config.rs | 6 ++++++ src/server/main.rs | 2 +- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/src/server/auth.rs b/src/server/auth.rs index 4d7107a..91619da 100644 --- a/src/server/auth.rs +++ b/src/server/auth.rs @@ -109,12 +109,12 @@ pub async fn get_user_by_username( } /// Create the authentication middleware layer -pub fn build_auth_layer(db_pool: DbPool, key_val_pool: KeyValPool) -> AuthLayer { +pub fn build_auth_layer(db_pool: DbPool, key_val_pool: KeyValPool, use_secure: bool) -> AuthLayer { use axum_login::{AuthManagerLayerBuilder, tower_sessions::SessionManagerLayer}; use tower_sessions_redis_store::RedisStore; let auth_session_store = RedisStore::new(key_val_pool); - let session_layer = SessionManagerLayer::new(auth_session_store); + let session_layer = SessionManagerLayer::new(auth_session_store).with_secure(use_secure); let auth_backend = AuthBackend { db_pool }; diff --git a/src/server/config.rs b/src/server/config.rs index 6b3f63b..c6d8248 100644 --- a/src/server/config.rs +++ b/src/server/config.rs @@ -1,8 +1,13 @@ use serde::Deserialize; +/// Enable secure cookies by default only in release mode +/// (Secure cookies can't be set over HTTP. Rough assumption: development is done over HTTP) +const DEFAULT_COOKIES_SECURE: bool = cfg!(not(debug_assertions)); + #[derive(Debug, Clone, Deserialize)] pub struct AuthConfig { pub open_signup: bool, + pub cookies_secure: bool, } /// Build a connection URI from parts @@ -153,6 +158,7 @@ pub fn load_config() -> Result { config::Config::builder() .set_default("server.port", 8080)? .set_default("auth.open_signup", false)? + .set_default("auth.cookies_secure", DEFAULT_COOKIES_SECURE)? .add_source(File::with_name(&format!("/etc/{pkg_name}/config")).required(false)) .add_source(File::with_name(&format!("/etc/{pkg_name}")).required(false)) .add_source(File::with_name("config").required(false)) diff --git a/src/server/main.rs b/src/server/main.rs index 0fd0f6f..b2b5920 100644 --- a/src/server/main.rs +++ b/src/server/main.rs @@ -34,7 +34,7 @@ async fn router_setup() -> Result { .await .err_context("Failed key-value store setup")?; - let auth_layer = build_auth_layer(db_pool.clone(), key_val_pool); + let auth_layer = build_auth_layer(db_pool.clone(), key_val_pool, config.auth.cookies_secure); let router = dioxus::server::router(App) .layer(from_fn(require_auth_middleware))