fix cookies when self hosting on http

README.md

@@ -50,6 +50,9 @@ api:
   # Make sure to add {public_url}/auth/callback to the OAuth2 Redirect URLs of your application in the Discord dev portal
   public_url: "http://localhost:5173/api"
 
+  # Make sure to enable this when you don't have an SSL (HTTPS) certificate
+  insecure_cookies: true
+
   host: "localhost"
   port: 8080
 
@@ -138,6 +141,7 @@ services:
       - "8080:8080"
     environment:
       - EMBEDG_API__HOST=0.0.0.0
+      - EMBEDG_API__INSECURE_COOKIES=true
       - EMBEDG_POSTGRES__HOST=postgres
       - EMBEDG_POSTGRES__USER=postgres
       - EMBEDG_POSTGRES__DB=embedg

docker-compose.yaml

@@ -36,6 +36,7 @@ services:
       - "8080:8080"
     environment:
       - EMBEDG_API__HOST=0.0.0.0
+      - EMBEDG_API__INSECURE_COOKIES=true
       - EMBEDG_POSTGRES__HOST=postgres
       - EMBEDG_POSTGRES__USER=postgres
       - EMBEDG_POSTGRES__DB=embedg

embedg-server/api/handlers/auth/handler.go

@@ -170,7 +170,7 @@ func setOauthStateCookie(c *fiber.Ctx) string {
 		Name:     "oauth_state",
 		Value:    state,
 		HTTPOnly: true,
-		Secure:   true,
+		Secure:   !viper.GetBool("api.insecure_cookies"),
 	})
 	return state
 }

embedg-server/api/session/session.go

@@ -12,6 +12,7 @@ import (
 	"github.com/gofiber/fiber/v2"
 	"github.com/merlinfuchs/embed-generator/embedg-server/db/postgres"
 	"github.com/rs/zerolog/log"
+	"github.com/spf13/viper"
 )
 
 type Session struct {
@@ -88,7 +89,7 @@ func (s *SessionManager) CreateSessionCookie(c *fiber.Ctx, token string) {
 		Name:     "session_token",
 		Value:    token,
 		HTTPOnly: true,
-		Secure:   true,
+		Secure:   !viper.GetBool("api.insecure_cookies"),
 		SameSite: "strict",
 		Expires:  time.Now().UTC().Add(30 * 24 * time.Hour),
 	})