fix: the CSRF cookie needs to have a same site lax mode

2 files changed, 2 insertions, 11 deletions

diff --git a/pkg/web/cookie/cookie_test.go b/pkg/web/cookie/cookie_test.go
index 523e496..2f600f4 100644
--- a/pkg/web/cookie/cookie_test.go
+++ b/pkg/web/cookie/cookie_test.go
@@ -12,7 +12,7 @@ import (
 func TestCookie(t *testing.T) {
 	t.Run("New", func(t *testing.T) {
 		t.Run("returns a cookie pinned to the HOST", func(t *testing.T) {
-			env.With(env.Vars{"HOST": "sparkle.example.com", "APP_ENV": "production"}, func() {
+			env.With(env.Vars{"HOST": "sparkle.example.com"}, func() {
 				cookie := New("name", "value", time.Now().Add(1*time.Minute))
 				assert.Equal(t, "sparkle.example.com", cookie.Domain)
 				assert.True(t, cookie.HttpOnly)
@@ -20,14 +20,6 @@ func TestCookie(t *testing.T) {
 				assert.Equal(t, http.SameSiteStrictMode, cookie.SameSite)
 			})
 		})
-
-		t.Run("disables the secure flag for development", func(t *testing.T) {
-			env.With(env.Vars{"HOST": "sparkle.example.com", "APP_ENV": "development"}, func() {
-				cookie := New("name", "value", time.Now().Add(1*time.Minute))
-				assert.True(t, cookie.HttpOnly)
-				assert.False(t, cookie.Secure)
-			})
-		})
 	})
 
 	t.Run("Reset", func(t *testing.T) {
diff --git a/pkg/web/cookie/new.go b/pkg/web/cookie/new.go
index 6dc9a2e..d4d0700 100644
--- a/pkg/web/cookie/new.go
+++ b/pkg/web/cookie/new.go
@@ -8,7 +8,6 @@ import (
 )
 
 func New(name, value string, expires time.Time) *http.Cookie {
-	appEnv := env.Fetch("APP_ENV", "development")
 	return &http.Cookie{
 		Name:     name,
 		Value:    value, // TODO:: digitally sign the value
@@ -16,7 +15,7 @@ func New(name, value string, expires time.Time) *http.Cookie {
 		MaxAge:   int(time.Until(expires).Seconds()),
 		Path:     "/",
 		HttpOnly: true,
-		Secure:   appEnv == "production",
+		Secure:   true,
 		SameSite: http.SameSiteStrictMode,
 		Domain:   env.Fetch("HOST", "localhost"),
 	}