allow config of session cookie sameSite value

[squeep-authentication-module] / lib / session-manager.js

diff --git a/lib/session-manager.js b/lib/session-manager.js
index d399e5bd1fb480044459cde001e7eda8a90f213b..0b4ce4eaff29db733a04c9c8776716e5290c6317 100644 (file)
--- a/lib/session-manager.js
+++ b/lib/session-manager.js
@@ -35,6 +35,7 @@ class SessionManager {
    * @param {string[]} options.authenticator.authnEnabled authentication methods enabled
    * @param {number=} options.authenticator.inactiveSessionLifespanSeconds session timeout
    * @param {boolean} options.authenticator.secureAuthOnly allow only https
+   * @param {string=} options.authenticator.sessionCookieSameSite sameSite setting for session cookie, default Lax
    * @param {object=} options.dingus dingus options
    * @param {string=} options.dingus.proxyPrefix prefix on route paths
    * @param {string} options.dingus.selfBaseUrl base url
@@ -47,6 +48,8 @@ class SessionManager {
     this.db = authenticator.db; // TODO: take db arg in next major version bump
     this.options = options;
     this.proxyPrefix = options.dingus?.proxyPrefix ?? '';
+    this.secureAuthOnly = options.authenticator.secureAuthOnly ?? true;
+    this.sameSite = options.authenticator.sessionCookieSameSite || 'Lax';
     this.indieAuthCommunication = new IndieAuthCommunication(logger, options);
     this.mysteryBox = new MysteryBox(options);
     this.mysteryBox.on('statistics', common.mysteryBoxLogger(logger, _fileScope(this.constructor.name)));
@@ -67,8 +70,8 @@ class SessionManager {
     const secureSession = session && await this.mysteryBox.pack(session) || '""';
     common.addCookie(res, cookieName, secureSession, {
       httpOnly: true,
-      sameSite: 'Lax',
-      secure: this.options.authenticator.secureAuthOnly,
+      sameSite: this.sameSite,
+      secure: this.secureAuthOnly,
       maxAge: session && maxAge || 0,
       path,
     });