Feature: Improve config for http server (#67)

* feat: improve config for http server

* Feature: Support multiple action status per release (#69)

* feat: move release actions to separate table

* chore: update sqlite driver

* fix(indexers): btn api client (#71)

What:

*  Api key and torrentId in wrong order
*  Set hardcoded ID in jsonrpc request object
*  ParsetorrentId from url

Fixes #68

* feat: show irc network status in settings list

* feat: show irc channel status

* chore: go mod tidy

* feat: improve config for http server

* feat: add context to user repo

* feat: only set secure cookie if https

internal/http/auth.go

@@ -1,38 +1,37 @@
 package http
 
 import (
+	"context"
 	"encoding/json"
 	"net/http"
 
 	"github.com/go-chi/chi"
 	"github.com/gorilla/sessions"
 
-	"github.com/autobrr/autobrr/internal/config"
 	"github.com/autobrr/autobrr/internal/domain"
 )
 
 type authService interface {
-	Login(username, password string) (*domain.User, error)
+	Login(ctx context.Context, username, password string) (*domain.User, error)
 }
 
 type authHandler struct {
 	encoder encoder
+	config  domain.Config
 	service authService
+
+	cookieStore *sessions.CookieStore
 }
 
-func newAuthHandler(encoder encoder, service authService) *authHandler {
+func newAuthHandler(encoder encoder, config domain.Config, cookieStore *sessions.CookieStore, service authService) *authHandler {
 	return &authHandler{
-		encoder: encoder,
-		service: service,
+		encoder:     encoder,
+		config:      config,
+		service:     service,
+		cookieStore: cookieStore,
 	}
 }
 
-var (
-	// key will only be valid as long as it's running.
-	key   = []byte(config.Config.SessionSecret)
-	store = sessions.NewCookieStore(key)
-)
-
 func (h authHandler) Routes(r chi.Router) {
 	r.Post("/login", h.login)
 	r.Post("/logout", h.logout)
@@ -51,12 +50,23 @@ func (h authHandler) login(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	store.Options.Secure = true
-	store.Options.HttpOnly = true
-	store.Options.SameSite = http.SameSiteStrictMode
-	session, _ := store.Get(r, "user_session")
+	h.cookieStore.Options.HttpOnly = true
+	h.cookieStore.Options.SameSite = http.SameSiteLaxMode
+	h.cookieStore.Options.Path = h.config.BaseURL
 
-	_, err := h.service.Login(data.Username, data.Password)
+	// autobrr does not support serving on TLS / https, so this is only available behind reverse proxy
+	// if forwarded protocol is https then set cookie secure
+	// SameSite Strict can only be set with a secure cookie. So we overwrite it here if possible.
+	// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
+	fwdProto := r.Header.Get("X-Forwarded-Proto")
+	if fwdProto == "https" {
+		h.cookieStore.Options.Secure = true
+		h.cookieStore.Options.SameSite = http.SameSiteStrictMode
+	}
+
+	session, _ := h.cookieStore.Get(r, "user_session")
+
+	_, err := h.service.Login(ctx, data.Username, data.Password)
 	if err != nil {
 		h.encoder.StatusResponse(ctx, w, nil, http.StatusUnauthorized)
 		return
@@ -72,7 +82,7 @@ func (h authHandler) login(w http.ResponseWriter, r *http.Request) {
 func (h authHandler) logout(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 
-	session, _ := store.Get(r, "user_session")
+	session, _ := h.cookieStore.Get(r, "user_session")
 
 	// Revoke users authentication
 	session.Values["authenticated"] = false
@@ -83,7 +93,7 @@ func (h authHandler) logout(w http.ResponseWriter, r *http.Request) {
 
 func (h authHandler) test(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
-	session, _ := store.Get(r, "user_session")
+	session, _ := h.cookieStore.Get(r, "user_session")
 
 	// Check if user is authenticated
 	if auth, ok := session.Values["authenticated"].(bool); !ok || !auth {