make session cookie samesite=lax by default

src/app.rs

@@ -38,6 +38,7 @@ pub fn make_app<AS: AddressbookStore, CS: CalendarStore, S: SubscriptionStore>(
     oidc_config: Option<OidcConfig>,
     nextcloud_login_config: NextcloudLoginConfig,
     dav_push_enabled: bool,
+    session_cookie_samesite_strict: bool,
 ) -> Router<()> {
     let combined_cal_store = Arc::new(CombinedCalendarStore::new(
         cal_store.clone(),
@@ -128,7 +129,11 @@ pub fn make_app<AS: AddressbookStore, CS: CalendarStore, S: SubscriptionStore>(
             SessionManagerLayer::new(session_store)
                 .with_name("rustical_session")
                 .with_secure(true)
-                .with_same_site(SameSite::Strict)
+                .with_same_site(if session_cookie_samesite_strict {
+                    SameSite::Strict
+                } else {
+                    SameSite::Lax
+                })
                 .with_expiry(Expiry::OnInactivity(
                     tower_sessions::cookie::time::Duration::hours(2),
                 )),

src/config.rs

@@ -7,6 +7,7 @@ use serde::{Deserialize, Serialize};
 pub struct HttpConfig {
     pub host: String,
     pub port: u16,
+    pub session_cookie_samesite_strict: bool,
 }
 
 impl Default for HttpConfig {
@@ -14,6 +15,7 @@ impl Default for HttpConfig {
         Self {
             host: "0.0.0.0".to_owned(),
             port: 4000,
+            session_cookie_samesite_strict: false,
         }
     }
 }

src/main.rs

@@ -116,6 +116,7 @@ async fn main() -> Result<()> {
                 config.oidc.clone(),
                 config.nextcloud_login.clone(),
                 config.dav_push.enabled,
+                config.http.session_cookie_samesite_strict,
             );
             let app = ServiceExt::<Request>::into_make_service(
                 NormalizePathLayer::trim_trailing_slash().layer(app),