Make cookie.token: secure and httpOnly configurable

yhttp · Oct 28, 2021 · a78f7aa · a78f7aa
1 parent 8020d17
commit a78f7aa
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 7 deletions.
diff --git a/yhttp/ext/auth/__init__.py b/yhttp/ext/auth/__init__.py
@@ -2,4 +2,4 @@
 from .install import install
 from .token import JWT
 
-__version__ = '2.0.5'
+__version__ = '2.0.6'
diff --git a/yhttp/ext/auth/token.py b/yhttp/ext/auth/token.py
@@ -46,6 +46,8 @@ class JWT:
       cookie:
         key: yhttp-auth
         token:
+          secure: true
+          httponly: true
           maxage: 2592000  # 1 Month
           domain:
 
@@ -108,15 +110,20 @@ def permitlogin(self, id):
         self.redis.srem(FORBIDDEN_KEY, id)
 
     def setcookie(self, req, payload):
+        settings = self.settings.cookie.token
         token = self.dump(payload)
         req.cookies[self.cookiekey] = token
         entry = req.cookies[self.cookiekey]
-        entry['Max-Age'] = self.settings.cookie.token.maxage
-        entry['Secure'] = True
-        entry['HttpOnly'] = True
-        domain = self.settings.cookie.token.domain
-        if domain:
-            entry['Domain'] = domain
+        entry['Max-Age'] = settings.maxage
+
+        if settings.secure:
+            entry['Secure'] = settings.secure
+
+        if settings.httponly:
+            entry['HttpOnly'] = settings.httponly
+
+        if settings.domain:
+            entry['Domain'] = settings.domain
         # Seems not supported by simple cookie.
         # entry['SameSite'] = 'Strict'
         return entry