From ca0d81c16816493a4a53f2232969680d26a1325f Mon Sep 17 00:00:00 2001
From: AH-dark <ahdark@outlook.com>
Date: Wed, 20 Jul 2022 11:50:59 +0800
Subject: [PATCH] Feat: configurations in conf package to control the
 `SameSite` mode and `Secure` value of the session.

---
 middleware/session.go | 17 +++++++++++++++--
 pkg/conf/conf.go      |  2 ++
 pkg/conf/defaults.go  |  2 ++
 3 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/middleware/session.go b/middleware/session.go
index 562601cd..25d9b09e 100644
--- a/middleware/session.go
+++ b/middleware/session.go
@@ -2,6 +2,7 @@ package middleware
 
 import (
 	"net/http"
+	"strings"
 
 	"github.com/cloudreve/Cloudreve/v3/pkg/conf"
 	"github.com/cloudreve/Cloudreve/v3/pkg/serializer"
@@ -30,13 +31,25 @@ func Session(secret string) gin.HandlerFunc {
 		Store = memstore.NewStore([]byte(secret))
 	}
 
+	sameSiteMode := http.SameSiteDefaultMode
+	switch strings.ToLower(conf.CORSConfig.SameSite) {
+	case "default":
+		sameSiteMode = http.SameSiteDefaultMode
+	case "none":
+		sameSiteMode = http.SameSiteNoneMode
+	case "strict":
+		sameSiteMode = http.SameSiteStrictMode
+	case "lax":
+		sameSiteMode = http.SameSiteLaxMode
+	}
+
 	// Also set Secure: true if using SSL, you should though
 	Store.Options(sessions.Options{
 		HttpOnly: true,
 		MaxAge:   7 * 86400,
 		Path:     "/",
-		SameSite: http.SameSiteNoneMode,
-		Secure:   true,
+		SameSite: sameSiteMode,
+		Secure:   conf.CORSConfig.Secure,
 	})
 
 	return sessions.Sessions("cloudreve-session", Store)
diff --git a/pkg/conf/conf.go b/pkg/conf/conf.go
index a9f7d06e..6e1fb0c4 100644
--- a/pkg/conf/conf.go
+++ b/pkg/conf/conf.go
@@ -61,6 +61,8 @@ type cors struct {
 	AllowHeaders     []string
 	AllowCredentials bool
 	ExposeHeaders    []string
+	SameSite         string
+	Secure           bool
 }
 
 var cfg *ini.File
diff --git a/pkg/conf/defaults.go b/pkg/conf/defaults.go
index eabaee5e..fc5eef1c 100644
--- a/pkg/conf/defaults.go
+++ b/pkg/conf/defaults.go
@@ -30,6 +30,8 @@ var CORSConfig = &cors{
 	AllowHeaders:     []string{"Cookie", "X-Cr-Policy", "Authorization", "Content-Length", "Content-Type", "X-Cr-Path", "X-Cr-FileName"},
 	AllowCredentials: false,
 	ExposeHeaders:    nil,
+	SameSite:         "Default",
+	Secure:           false,
 }
 
 // SlaveConfig 从机配置