fix : allow xsrf cookies to be sent over non-secure connections

src/server/Config/ContainerRegistry.cs

@@ -16,8 +16,8 @@ public ContainerRegistry()
             };
 
             For<IConfiguration>().Use(WebApp.Configuration).Singleton();
-            // For<DbContextBase>().Use<NpgSqlContext>();
-            For<DbContextBase>().Use<MsSqlContext>();
+            //For<DbContextBase>().Use<NpgSqlContext>();
+            //For<DbContextBase>().Use<MsSqlContext>();
             For<Filters.ApiResultFilter>();
             For<Filters.ApiExceptionFilter>().Use(() => new Filters.ApiExceptionFilter(targets));
             For<Filters.IdentityMappingFilter>();

src/server/Config/Server.cs

@@ -15,6 +15,7 @@ public class AntiForgeryConfig
             public string ClientName { get; set; }
             public string CookieName { get; set; }
             public string HeaderName { get; set; }
+            public bool RequireSsl { get; set; }
         }
     }
 

src/server/Middleware/AntiforgeryMiddleware.cs

@@ -9,6 +9,7 @@
 using Microsoft.AspNetCore.Http.Extensions;
 using Microsoft.AspNetCore.Http.Features;
 using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Options;
 
 namespace Toucan.Server
 {
@@ -30,12 +31,13 @@ public static void UseAntiforgeryMiddleware(this IApplicationBuilder app, string
 
                     if (tokenSet.RequestToken != null)
                     {
-                        context.Response.Cookies.Append(clientName, tokenSet.RequestToken, new CookieOptions() { HttpOnly = false, Secure = true });
+                        var options = context.RequestServices.GetRequiredService<IOptions<AppConfig>>().Value;
+                        var cookieOptions = new CookieOptions() { HttpOnly = false, Secure = options.Server.AntiForgery.RequireSsl };
+                        context.Response.Cookies.Append(clientName, tokenSet.RequestToken, cookieOptions);
                     }
                 }
                 await next.Invoke();
             });
         }
-
     }
-}
+}

src/server/Startup.cs

@@ -73,14 +73,12 @@ public IServiceProvider ConfigureServices(IServiceCollection services)
             services.Configure<Toucan.Data.Config>(WebApp.Configuration.GetSection("data")); // configuration
             services.Configure<Toucan.Server.Config>(WebApp.Configuration.GetSection("server"));
 
-            services.ConfigureMvc(WebApp.Configuration.GetTypedSection<Config.AntiForgeryConfig>("server:antiForgery"));
             services.AddMemoryCache();
-
-
+            services.ConfigureMvc(WebApp.Configuration.GetTypedSection<Config.AntiForgeryConfig>("server:antiForgery"));
             services.ConfigureAuthentication(tokenProvider, new string[] { "admin" });
 
             // services.AddDbContext<NpgSqlContext>(options =>
-            // {    
+            // {   
             //     string assemblyName = typeof(Toucan.Data.Config).GetAssemblyName();
             //     options.UseNpgsql(dataConfig.ConnectionString, s => s.MigrationsAssembly(assemblyName));
             // });

src/server/app.development.json

@@ -18,7 +18,8 @@
         "antiForgery": {
             "cookieName": "XSRF-COOKIE",
             "headerName": "X-XSRF-TOKEN",
-            "clientName": "XSRF-TOKEN"
+            "clientName": "XSRF-TOKEN",
+            "requireSsl": false
         }
     },
     "service": {

src/server/app.production.json

@@ -18,7 +18,8 @@
         "antiForgery": {
             "cookieName": "XSRF-COOKIE",
             "headerName": "X-XSRF-TOKEN",
-            "clientName": "XSRF-TOKEN"
+            "clientName": "XSRF-TOKEN",
+            "requireSsl": true
         }
     },
     "service": {

src/ui/package.json

@@ -1,6 +1,6 @@
 {
   "name": "toucan.ui",
-  "version": "2.0.0",
+  "version": "2.0.1",
   "description": "UI project for Toucan template",
   "keywords": [
     "vuejs",