fix: disable secure cookies in development mode

2 files changed, 13 insertions, 4 deletions

diff --git a/pkg/web/cookie/cookie_test.go b/pkg/web/cookie/cookie_test.go
index f7f013d..523e496 100644
--- a/pkg/web/cookie/cookie_test.go
+++ b/pkg/web/cookie/cookie_test.go
@@ -12,14 +12,22 @@ import (
 func TestCookie(t *testing.T) {
 	t.Run("New", func(t *testing.T) {
 		t.Run("returns a cookie pinned to the HOST", func(t *testing.T) {
-			env.With(env.Vars{"HOST": "sparkle.example.com"}, func() {
+			env.With(env.Vars{"HOST": "sparkle.example.com", "APP_ENV": "production"}, func() {
 				cookie := New("name", "value", time.Now().Add(1*time.Minute))
 				assert.Equal(t, "sparkle.example.com", cookie.Domain)
-				assert.Equal(t, true, cookie.HttpOnly)
-				assert.Equal(t, true, cookie.Secure)
+				assert.True(t, cookie.HttpOnly)
+				assert.True(t, cookie.Secure)
 				assert.Equal(t, http.SameSiteStrictMode, cookie.SameSite)
 			})
 		})
+
+		t.Run("disables the secure flag for development", func(t *testing.T) {
+			env.With(env.Vars{"HOST": "sparkle.example.com", "APP_ENV": "development"}, func() {
+				cookie := New("name", "value", time.Now().Add(1*time.Minute))
+				assert.True(t, cookie.HttpOnly)
+				assert.False(t, cookie.Secure)
+			})
+		})
 	})
 
 	t.Run("Reset", func(t *testing.T) {
diff --git a/pkg/web/cookie/new.go b/pkg/web/cookie/new.go
index d4d0700..6dc9a2e 100644
--- a/pkg/web/cookie/new.go
+++ b/pkg/web/cookie/new.go
@@ -8,6 +8,7 @@ import (
 )
 
 func New(name, value string, expires time.Time) *http.Cookie {
+	appEnv := env.Fetch("APP_ENV", "development")
 	return &http.Cookie{
 		Name:     name,
 		Value:    value, // TODO:: digitally sign the value
@@ -15,7 +16,7 @@ func New(name, value string, expires time.Time) *http.Cookie {
 		MaxAge:   int(time.Until(expires).Seconds()),
 		Path:     "/",
 		HttpOnly: true,
-		Secure:   true,
+		Secure:   appEnv == "production",
 		SameSite: http.SameSiteStrictMode,
 		Domain:   env.Fetch("HOST", "localhost"),
 	}