homelab/dozzle
1
0
Fork 0
mirror of https://github.com/amir20/dozzle.git synced 2026-06-23 04:10:12 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

fix: set Secure flag on jwt cookie when request is HTTPS (#4740)
Deploy VitePress site to Pages / build (push) Has been cancelled
Details
Deploy VitePress site to Pages / Deploy (push) Has been cancelled
Details
Push container / Push branches and PRs (push) Has been cancelled
Details
Test / Typecheck (push) Has been cancelled
Details
Test / JavaScript Tests (push) Has been cancelled
Details
Test / Go Tests (push) Has been cancelled
Details
Test / Go Staticcheck (push) Has been cancelled
Details
Test / Integration Tests (push) Has been cancelled
Details

Browse Source 
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Amir Raminfar
2026-05-24 16:52:44 -07:00
committed by GitHub
parent b7d9d1346a
commit dd2eba59b2
1 changed files with 12 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/web/auth.go
+12
View File
@@ -2,6 +2,7 @@ package web
import (
"net/http"
"strings"
"time"
"github.com/rs/zerolog/log"
@@ -23,6 +24,7 @@ func (h *handler) createToken(w http.ResponseWriter, r *http.Request) {
HttpOnly: true,
Path: "/",
SameSite: http.SameSiteLaxMode,
Secure: isHTTPS(r),
Expires: expires,
})
log.Info().Str("user", user).Msg("Token created")
@@ -41,8 +43,18 @@ func (h *handler) deleteToken(w http.ResponseWriter, r *http.Request) {
HttpOnly: true,
Path: "/",
SameSite: http.SameSiteLaxMode,
Secure: isHTTPS(r),
Expires: time.Unix(0, 0),
})
w.WriteHeader(http.StatusOK)
w.Write([]byte(http.StatusText(http.StatusOK)))
}
// isHTTPS reports whether the original client request used HTTPS, accounting
// for TLS terminated at an upstream reverse proxy via X-Forwarded-Proto.
func isHTTPS(r *http.Request) bool {
if r.TLS != nil {
return true
}
return strings.EqualFold(r.Header.Get("X-Forwarded-Proto"), "https")
}