cookie configuration

Femto.Api/Auth/CookieSettings.cs

@@ -0,0 +1,7 @@
+namespace Femto.Api.Auth;
+
+public class CookieSettings
+{
+    public bool SameSite { get; set; }
+    public bool Secure { get; set; }
+}

Femto.Api/Auth/SessionAuthenticationHandler.cs

@@ -15,7 +15,8 @@ internal class SessionAuthenticationHandler(
     ILoggerFactory logger,
     UrlEncoder encoder,
     IAuthModule authModule,
-    CurrentUserContext currentUserContext
+    CurrentUserContext currentUserContext,
+    IOptions<CookieSettings> cookieOptions
 ) : AuthenticationHandler<AuthenticationSchemeOptions>(options, logger, encoder)
 {
     protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
@@ -38,7 +39,7 @@ internal class SessionAuthenticationHandler(
             var identity = new ClaimsIdentity(claims, this.Scheme.Name);
             var principal = new ClaimsPrincipal(identity);
 
-            this.Context.SetSession(result.Session);
+            this.Context.SetSession(result.Session, cookieOptions.Value);
             currentUserContext.CurrentUser = new CurrentUser(result.UserId, result.Username);
 
             return AuthenticateResult.Success(

Femto.Api/Controllers/Auth/AuthController.cs

@@ -1,14 +1,16 @@
+using Femto.Api.Auth;
 using Femto.Api.Sessions;
 using Femto.Modules.Auth.Application;
 using Femto.Modules.Auth.Application.Commands.Login;
 using Femto.Modules.Auth.Application.Commands.Register;
 using Microsoft.AspNetCore.Mvc;
+using Microsoft.Extensions.Options;
 
 namespace Femto.Api.Controllers.Auth;
 
 [ApiController]
 [Route("auth")]
-public class AuthController(IAuthModule authModule) : ControllerBase
+public class AuthController(IAuthModule authModule, IOptions<CookieSettings> cookieSettings) : ControllerBase
 {
     [HttpPost("login")]
     public async Task<ActionResult<LoginResponse>> Login([FromBody] LoginRequest request)
@@ -17,7 +19,7 @@ public class AuthController(IAuthModule authModule) : ControllerBase
             new LoginCommand(request.Username, request.Password)
         );
 
-        HttpContext.SetSession(result.Session);
+        HttpContext.SetSession(result.Session, cookieSettings.Value);
 
         return new LoginResponse(result.UserId, result.Username);
     }
@@ -29,7 +31,7 @@ public class AuthController(IAuthModule authModule) : ControllerBase
             new RegisterCommand(request.Username, request.Password)
         );
 
-        HttpContext.SetSession(result.Session);
+        HttpContext.SetSession(result.Session, cookieSettings.Value);
 
         return new RegisterResponse(result.UserId, result.Username);
     }

Femto.Api/Program.cs

@@ -66,6 +66,9 @@ builder
         options.JsonSerializerOptions.NumberHandling = JsonNumberHandling.AllowReadingFromString;
     });
 
+builder.Services.Configure<CookieSettings>(
+    builder.Configuration.GetSection("Cookies"));
+
 builder
     .Services.AddAuthentication("SessionAuth")
     .AddScheme<AuthenticationSchemeOptions, SessionAuthenticationHandler>(

Femto.Api/Sessions/HttpContextSessionExtensions.cs

@@ -1,10 +1,11 @@
+using Femto.Api.Auth;
 using Femto.Modules.Auth.Application.Dto;
 
 namespace Femto.Api.Sessions;
 
 internal static class HttpContextSessionExtensions
 {
-    public static void SetSession(this HttpContext httpContext, Session session)
+    public static void SetSession(this HttpContext httpContext, Session session, CookieSettings cookieSettings)
     {
         httpContext.Response.Cookies.Append(
             "session",
@@ -12,8 +13,8 @@ internal static class HttpContextSessionExtensions
             new CookieOptions
             {
                 HttpOnly = true,
-                // Secure = true,
-                // SameSite = SameSiteMode.Strict,
+                Secure = cookieSettings.Secure,
+                SameSite = cookieSettings.SameSite? SameSiteMode.Strict : SameSiteMode.None,
                 Expires = session.Expires,
             }
         );