feat: add configurable auth cookie lifetime and httpOnly setting

Author: adrianschubek

Dockerfile

@@ -126,6 +126,11 @@ ENV PREFETCH_FILES=false
 
 ENV CORS_ALLOW_ANY_ORIGIN=true
 
+# seconds. default 60 * 60 * 24 * 7 = 7 days
+ENV AUTH_COOKIE_LIFETIME=604800
+
+ENV AUTH_COOKIE_HTTPONLY=true
+
 EXPOSE 8080
 
 CMD ["/init.sh"]

src/index.php

@@ -81,10 +81,10 @@ function set_auth_cookie(string $key): void
   if ($path === '') $path = '/';
   // Cookie is httpOnly to avoid leaking via JS.
   setcookie('dir_browser_key', $key, [
-    'expires' => time() + 60 * 60 * 24 * 30,
+    'expires' => time() + ${{`process.env.AUTH_COOKIE_LIFETIME`}}$,
     'path' => $path,
     'secure' => $secure,
-    'httponly' => true,
+    'httponly' => ${{`process.env.AUTH_COOKIE_HTTPONLY`}}$,
     'samesite' => 'Lax',
   ]);
 }