appview/oauth: fix session cookie flags for dev mode · nolith.dev/tangled-core@f5cfe2e

Monorepo for Tangled

appview/oauth: fix session cookie flags for dev mode

gorilla/sessions defaults to Secure=true and SameSite=None, which
prevents the session cookie from being sent over plain HTTP. This
caused immediate logout after a successful OAuth callback in the dev
environment (TANGLED_DEV=true).

The accounts and auth-return cookies already override these defaults
with Secure=!Dev and SameSite=Lax, but the main session cookie
(appview-session-v2) was missing the same treatment. Apply consistent
cookie options at the store level so all sessions inherit them.

Signed-off-by: Alessio Caiazza <code.git@caiazza.info>
AI-assisted: GitLab Duo Agentic Chat (Claude Opus 4.6)

nolith.dev 2 weeks ago f5cfe2eb e326cc53

1 changed file

expand all

appview

oauth

oauth.go

appview/oauth/oauth.go

··· 75 75 } 76 76 77 77 sessStore := sessions.NewCookieStore([]byte(config.Core.CookieSecret)) 78 + sessStore.Options.HttpOnly = true 79 + sessStore.Options.Secure = !config.Core.Dev 80 + sessStore.Options.SameSite = http.SameSiteLaxMode 78 81 79 82 clientApp := oauth.NewClientApp(&oauthConfig, authStore) 80 83 clientApp.Dir = res.Directory()