Secure cookies

src/Configuration.kt

@@ -3,13 +3,14 @@ package be.vandewalleh
 import com.sksamuel.hoplite.Masked
 import java.util.concurrent.TimeUnit
 
-data class Config(val database: DatabaseConfig, val server: ServerConfig, val jwt: JwtConfig) {
+data class Config(val database: DatabaseConfig, val server: ServerConfig, val jwt: JwtConfig, val cookies: Cookies) {
     override fun toString(): String {
         return """
             Config(
                 database=$database,
                 server=$server,
-                jwt=$jwt
+                jwt=$jwt,
+                cookies=$cookies
             )
         """.trimIndent()
     }
@@ -19,3 +20,4 @@ data class DatabaseConfig(val host: String, val port: Int, val name: String, val
 data class ServerConfig(val host: String, val port: Int, val cors: Boolean)
 data class JwtConfig(val auth: Jwt, val refresh: Jwt)
 data class Jwt(val validity: Long, val unit: TimeUnit, val secret: Masked)
+data class Cookies(val secure: Boolean)

src/Dependencies.kt

@@ -79,7 +79,8 @@ val mainModule = DI.Module("main") {
             userRepository = instance(),
             authJWT = instance(tag = "auth"),
             templates = instance(),
-            passwordHash = instance()
+            passwordHash = instance(),
+            useSecureCookies = instance<Config>().cookies.secure
         )
     }
 

src/controllers/web/UserController.kt

@@ -6,6 +6,7 @@ import be.vandewalleh.extensions.respondKorte
 import be.vandewalleh.features.PasswordHash
 import be.vandewalleh.repositories.UserRepository
 import be.vandewalleh.validation.registerValidator
+import com.auth0.jwt.JWT
 import com.soywiz.korte.Templates
 import io.ktor.application.*
 import io.ktor.http.*
@@ -13,12 +14,14 @@ import io.ktor.http.HttpStatusCode.Companion.Unauthorized
 import io.ktor.http.content.*
 import io.ktor.request.*
 import io.ktor.response.*
+import io.ktor.util.date.GMTDate
 
 class UserController(
     private val userRepository: UserRepository,
     private val templates: Templates,
     private val authJWT: SimpleJWT,
-    private val passwordHash: PasswordHash
+    private val passwordHash: PasswordHash,
+    private val useSecureCookies: Boolean
 ) {
 
     suspend fun login(call: ApplicationCall) {
@@ -58,7 +61,21 @@ class UserController(
 
         val token = authJWT.sign(user.id, user.username)
 
-        call.response.cookies.append("Authorization", "Bearer $token", path = "/")
+        // FIXME
+        val expiresAt = JWT.decode(token).expiresAt
+        val gmtDate = GMTDate(expiresAt.time)
+
+        call.response.cookies.append(
+            name = "Authorization",
+            value = "Bearer $token",
+            secure = useSecureCookies,
+            path = "/",
+            httpOnly = true,
+            expires = gmtDate,
+            extensions = mapOf(
+                "SameSite" to "Lax"
+            )
+        )
         call.respondRedirect("/notes")
     }