From a78f7aa7ac0ec0d50c2d29cfe997b2f6435f38e8 Mon Sep 17 00:00:00 2001
From: pylover <vahid.mardani@gmail.com>
Date: Thu, 28 Oct 2021 14:15:05 +0330
Subject: [PATCH] Make cookie.token: secure and httpOnly configurable

---
 yhttp/ext/auth/__init__.py |  2 +-
 yhttp/ext/auth/token.py    | 19 +++++++++++++------
 2 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/yhttp/ext/auth/__init__.py b/yhttp/ext/auth/__init__.py
index bc195ca..2232b76 100644
--- a/yhttp/ext/auth/__init__.py
+++ b/yhttp/ext/auth/__init__.py
@@ -2,4 +2,4 @@
 from .install import install
 from .token import JWT
 
-__version__ = '2.0.5'
+__version__ = '2.0.6'
diff --git a/yhttp/ext/auth/token.py b/yhttp/ext/auth/token.py
index 679b6b7..1429b80 100644
--- a/yhttp/ext/auth/token.py
+++ b/yhttp/ext/auth/token.py
@@ -46,6 +46,8 @@ class JWT:
       cookie:
         key: yhttp-auth
         token:
+          secure: true
+          httponly: true
           maxage: 2592000  # 1 Month
           domain:
 
@@ -108,15 +110,20 @@ def permitlogin(self, id):
         self.redis.srem(FORBIDDEN_KEY, id)
 
     def setcookie(self, req, payload):
+        settings = self.settings.cookie.token
         token = self.dump(payload)
         req.cookies[self.cookiekey] = token
         entry = req.cookies[self.cookiekey]
-        entry['Max-Age'] = self.settings.cookie.token.maxage
-        entry['Secure'] = True
-        entry['HttpOnly'] = True
-        domain = self.settings.cookie.token.domain
-        if domain:
-            entry['Domain'] = domain
+        entry['Max-Age'] = settings.maxage
+
+        if settings.secure:
+            entry['Secure'] = settings.secure
+
+        if settings.httponly:
+            entry['HttpOnly'] = settings.httponly
+
+        if settings.domain:
+            entry['Domain'] = settings.domain
         # Seems not supported by simple cookie.
         # entry['SameSite'] = 'Strict'
         return entry