From fda08ac1cd88842e25dc47395ed1288a5cfac4f8 Mon Sep 17 00:00:00 2001
From: Chris Danis <cdanis@gmail.com>
Date: Sat, 18 Jan 2025 16:33:41 -0500
Subject: [PATCH] fix: always set secure on cookie (#130)

---
 backend/internal/controller/user_controller.go     | 4 ++--
 backend/internal/controller/webauthn_controller.go | 8 ++++----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/backend/internal/controller/user_controller.go b/backend/internal/controller/user_controller.go
index 8854cd9..4f59c43 100644
--- a/backend/internal/controller/user_controller.go
+++ b/backend/internal/controller/user_controller.go
@@ -166,7 +166,7 @@ func (uc *UserController) exchangeOneTimeAccessTokenHandler(c *gin.Context) {
 		return
 	}
 
-	c.SetCookie("access_token", token, int(time.Hour.Seconds()), "/", "", false, true)
+	c.SetCookie("access_token", token, int(time.Hour.Seconds()), "/", "", true, true)
 	c.JSON(http.StatusOK, userDto)
 }
 
@@ -183,7 +183,7 @@ func (uc *UserController) getSetupAccessTokenHandler(c *gin.Context) {
 		return
 	}
 
-	c.SetCookie("access_token", token, int(time.Hour.Seconds()), "/", "", false, true)
+	c.SetCookie("access_token", token, int(time.Hour.Seconds()), "/", "", true, true)
 	c.JSON(http.StatusOK, userDto)
 }
 
diff --git a/backend/internal/controller/webauthn_controller.go b/backend/internal/controller/webauthn_controller.go
index a37f957..894a316 100644
--- a/backend/internal/controller/webauthn_controller.go
+++ b/backend/internal/controller/webauthn_controller.go
@@ -40,7 +40,7 @@ func (wc *WebauthnController) beginRegistrationHandler(c *gin.Context) {
 		return
 	}
 
-	c.SetCookie("session_id", options.SessionID, int(options.Timeout.Seconds()), "/", "", false, true)
+	c.SetCookie("session_id", options.SessionID, int(options.Timeout.Seconds()), "/", "", true, true)
 	c.JSON(http.StatusOK, options.Response)
 }
 
@@ -74,7 +74,7 @@ func (wc *WebauthnController) beginLoginHandler(c *gin.Context) {
 		return
 	}
 
-	c.SetCookie("session_id", options.SessionID, int(options.Timeout.Seconds()), "/", "", false, true)
+	c.SetCookie("session_id", options.SessionID, int(options.Timeout.Seconds()), "/", "", true, true)
 	c.JSON(http.StatusOK, options.Response)
 }
 
@@ -103,7 +103,7 @@ func (wc *WebauthnController) verifyLoginHandler(c *gin.Context) {
 		return
 	}
 
-	c.SetCookie("access_token", token, int(time.Hour.Seconds()), "/", "", false, true)
+	c.SetCookie("access_token", token, int(time.Hour.Seconds()), "/", "", true, true)
 	c.JSON(http.StatusOK, userDto)
 }
 
@@ -163,6 +163,6 @@ func (wc *WebauthnController) updateCredentialHandler(c *gin.Context) {
 }
 
 func (wc *WebauthnController) logoutHandler(c *gin.Context) {
-	c.SetCookie("access_token", "", 0, "/", "", false, true)
+	c.SetCookie("access_token", "", 0, "/", "", true, true)
 	c.Status(http.StatusNoContent)
 }