Allow disabling Secure cookie flag

YuriyDurov · YuriyDurov · commit 100519dee541 · 2025-02-05T18:59:11.000+04:00
diff --git a/src/BitzArt.Blazor.Auth.Server/Extensions/ServerSideAddBlazorAuthExtensions.cs b/src/BitzArt.Blazor.Auth.Server/Extensions/ServerSideAddBlazorAuthExtensions.cs
@@ -16,32 +16,37 @@ public static class ServerSideAddBlazorAuthExtensions
     /// using default implementations of <see cref="IAuthenticationService"/> and <see cref="IIdentityClaimsService"/>.
     /// </summary>
     /// <param name="builder">The <see cref="IHostApplicationBuilder"/> to add services to.</param>
+    /// <param name="configure">An <see cref="Action"/> to configure <see cref="BlazorAuthServerOptions"/>.</param>
     /// <returns><see cref="IHostApplicationBuilder"/> to allow chaining.</returns>
-    public static IHostApplicationBuilder AddBlazorAuth(this IHostApplicationBuilder builder)
+    public static IHostApplicationBuilder AddBlazorAuth(this IHostApplicationBuilder builder, Action<BlazorAuthServerOptions>? configure = null)
     {
-        return builder.AddBlazorAuth<DefaultAuthenticationService, IdentityClaimsService>();
+        return builder.AddBlazorAuth<DefaultAuthenticationService, IdentityClaimsService>(configure);
     }
 
     /// <summary>
     /// Adds server-side Blazor.Auth services to the specified <see cref="IHostApplicationBuilder"/>, <br />
     /// using the default implementation of <see cref="IIdentityClaimsService"/>.
     /// </summary>
     /// <typeparam name="TAuthenticationService">The type of the server-side authentication service.</typeparam>
-    public static IHostApplicationBuilder AddBlazorAuth<TAuthenticationService>(this IHostApplicationBuilder builder)
+    public static IHostApplicationBuilder AddBlazorAuth<TAuthenticationService>(this IHostApplicationBuilder builder, Action<BlazorAuthServerOptions>? configure = null)
         where TAuthenticationService : class, IAuthenticationService
     {
-        return builder.AddBlazorAuth<TAuthenticationService, IdentityClaimsService>();
+        return builder.AddBlazorAuth<TAuthenticationService, IdentityClaimsService>(configure);
     }
 
     /// <summary>
     /// Adds server-side Blazor.Auth services to the specified <see cref="IHostApplicationBuilder"/>.
     /// </summary>
     /// <typeparam name="TAuthenticationService">The type of the server-side authentication service.</typeparam>
     /// <typeparam name="TIdentityClaimsService">The type of the identity claims service.</typeparam>
-    public static IHostApplicationBuilder AddBlazorAuth<TAuthenticationService, TIdentityClaimsService>(this IHostApplicationBuilder builder)
+    public static IHostApplicationBuilder AddBlazorAuth<TAuthenticationService, TIdentityClaimsService>(this IHostApplicationBuilder builder, Action<BlazorAuthServerOptions>? configure = null)
         where TAuthenticationService : class, IAuthenticationService
         where TIdentityClaimsService : class, IIdentityClaimsService
     {
+        var options = new BlazorAuthServerOptions();
+        configure?.Invoke(options);
+        builder.Services.AddSingleton(options);
+
         builder.AddBlazorCookies();
         builder.Services.AddScoped<IBlazorAuthLogger, BlazorAuthLogger>();
 
diff --git a/src/BitzArt.Blazor.Auth.Server/Options/BlazorAuthServerOptions.cs b/src/BitzArt.Blazor.Auth.Server/Options/BlazorAuthServerOptions.cs
@@ -0,0 +1,12 @@
+﻿namespace BitzArt.Blazor.Auth.Server;
+
+/// <summary>
+/// Options for the Blazor Auth Server.
+/// </summary>
+public class BlazorAuthServerOptions
+{
+    /// <summary>
+    /// Allows the app to operate in a non-HTTPS environment.
+    /// </summary>
+    public bool DisableSecureCookieFlag { get; set; } = false;
+}
diff --git a/src/BitzArt.Blazor.Auth.Server/Services/StaticUserService.cs b/src/BitzArt.Blazor.Auth.Server/Services/StaticUserService.cs
@@ -10,7 +10,8 @@ internal class StaticUserService(
     IBlazorAuthLogger logger,
     IAuthenticationService authService,
     ICookieService cookieService,
-    IIdentityClaimsService claimsService
+    IIdentityClaimsService claimsService,
+    BlazorAuthServerOptions options
     ) : IUserService
 {
     private protected static AuthenticationState UnauthorizedState => new(new ClaimsPrincipal());
@@ -78,13 +79,15 @@ private protected async Task SaveJwtPairAsync(JwtPair? jwtPair, CancellationToke
     {
         if (jwtPair is null) return;
 
+        var secure = !options.DisableSecureCookieFlag;
+
         if (!string.IsNullOrWhiteSpace(jwtPair.AccessToken))
             await cookieService.SetAsync(
                 Cookies.AccessToken,
                 jwtPair.AccessToken!,
                 jwtPair.AccessTokenExpiresAt,
                 httpOnly: true,
-                secure: true,
+                secure: secure,
                 sameSiteMode: SameSiteMode.Strict,
                 cancellationToken: cancellationToken);
 
@@ -94,7 +97,7 @@ await cookieService.SetAsync(
                 jwtPair.RefreshToken!,
                 jwtPair.RefreshTokenExpiresAt,
                 httpOnly: true,
-                secure: true,
+                secure: secure,
                 sameSiteMode: SameSiteMode.Strict,
                 cancellationToken: cancellationToken);
     }
