From 56fee504cb8c334c087abb6f11aa6376964457f9 Mon Sep 17 00:00:00 2001
From: Wilfredo Alcala <alcalawilfre@gmail.com>
Date: Mon, 20 Mar 2023 12:31:34 -0500
Subject: [PATCH] make jwt cokie http only again

---
 api/handler/common.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/api/handler/common.go b/api/handler/common.go
index b4f35fa0..20699485 100644
--- a/api/handler/common.go
+++ b/api/handler/common.go
@@ -17,7 +17,7 @@ func SetJWTCookie(c echo.Context, jwt service.JWT) error {
 	cookie := new(http.Cookie)
 	cookie.Name = "StringJWT"
 	cookie.Value = jwt.Token
-	// cookie.HttpOnly = true // due the short expiration time it is not needed to be http only
+	cookie.HttpOnly = true
 	cookie.Expires = jwt.ExpAt // we want the cookie to expire at the same time as the token
 	cookie.SameSite = getCookieSameSiteMode()
 	cookie.Path = "/"                       // Send cookie in every sub path request
@@ -60,6 +60,7 @@ func DeleteAuthCookies(c echo.Context) error {
 	cookie := new(http.Cookie)
 	cookie.Name = "StringJWT"
 	cookie.Value = ""
+	cookie.HttpOnly = true
 	cookie.Expires = time.Now()
 	cookie.SameSite = getCookieSameSiteMode()
 	cookie.Path = "/" // Send cookie in every sub path request
@@ -69,6 +70,7 @@ func DeleteAuthCookies(c echo.Context) error {
 	cookie = new(http.Cookie)
 	cookie.Name = "refresh_token"
 	cookie.Value = ""
+	cookie.HttpOnly = true
 	cookie.Expires = time.Now()
 	cookie.SameSite = getCookieSameSiteMode()
 	cookie.Path = "/login/" // Send cookie only in refresh path request