From 5a70e3f3f1db7eab66d76f7bf9448fa55d9818ec Mon Sep 17 00:00:00 2001
From: flashwave <me@flash.moe>
Date: Wed, 24 Jan 2024 22:14:42 +0000
Subject: [PATCH] Include SameSite attribute on cookies.

---
 assets/misuzu.js/main.js     | 28 +++++++++++++++++-----------
 misuzu.php                   |  4 ++--
 src/Auth/AuthTokenCookie.php | 21 ++++++++++++++++++---
 3 files changed, 37 insertions(+), 16 deletions(-)

diff --git a/assets/misuzu.js/main.js b/assets/misuzu.js/main.js
index 8c31453..5484634 100644
--- a/assets/misuzu.js/main.js
+++ b/assets/misuzu.js/main.js
@@ -62,20 +62,26 @@
             });
     };
 
-    MszSakuya.trackElements($qa('time'));
-    hljs.highlightAll();
+    try {
+        MszSakuya.trackElements($qa('time'));
+        hljs.highlightAll();
 
-    MszEmbed.init(`${location.protocol}//uiharu.${location.host}`);
+        MszEmbed.init(`${location.protocol}//uiharu.${location.host}`);
 
-    // only used by the forum posting form
-    initQuickSubmit();
-    MszForumEditor($q('.js-forum-posting'));
+        // only used by the forum posting form
+        initQuickSubmit();
+        const forumPostingForm = $q('.js-forum-posting');
+        if(forumPostingForm !== null)
+            MszForumEditor(forumPostingForm);
 
-    const events = new MszSeasonalEvents;
-    events.add(new MszChristmas2019EventInfo);
-    events.dispatch();
+        const events = new MszSeasonalEvents;
+        events.add(new MszChristmas2019EventInfo);
+        events.dispatch();
 
-    await initLoginPage();
+        await initLoginPage();
 
-    MszEmbed.handle($qa('.js-msz-embed-media'));
+        MszEmbed.handle($qa('.js-msz-embed-media'));
+    } catch(ex) {
+        console.error(ex);
+    }
 })();
diff --git a/misuzu.php b/misuzu.php
index 72f9be4..5de0136 100644
--- a/misuzu.php
+++ b/misuzu.php
@@ -20,8 +20,8 @@ define('MSZ_ASSETS', MSZ_ROOT . '/assets');
 require_once MSZ_ROOT . '/vendor/autoload.php';
 
 Environment::setDebug(MSZ_DEBUG);
-mb_internal_encoding('utf-8');
-date_default_timezone_set('utc');
+mb_internal_encoding('UTF-8');
+date_default_timezone_set('UTC');
 
 $cfg = SharpConfig::fromFile(MSZ_CONFIG . '/config.cfg');
 
diff --git a/src/Auth/AuthTokenCookie.php b/src/Auth/AuthTokenCookie.php
index ec17b2a..21c3266 100644
--- a/src/Auth/AuthTokenCookie.php
+++ b/src/Auth/AuthTokenCookie.php
@@ -1,8 +1,9 @@
 <?php
 namespace Misuzu\Auth;
 
-// is this the right way to do this?
+use DateTimeImmutable;
 
+// is this the right way to do this?
 final class AuthTokenCookie {
     public static function domain(): string {
         $url = parse_url($_SERVER['HTTP_HOST'], PHP_URL_HOST);
@@ -16,10 +17,24 @@ final class AuthTokenCookie {
     }
 
     public static function apply(string $packed): void {
-        setcookie('msz_auth', $packed, strtotime('+3 months'), '/', self::domain(), !empty($_SERVER['HTTPS']), true);
+        $now = new DateTimeImmutable('now');
+        $threeMonths = $now->modify('+3 months');
+
+        header(sprintf(
+            'Set-Cookie: msz_auth=%s; Expires=%s; Max-Age=%d; Domain=%s; Path=/; SameSite=Lax; HttpOnly;%s',
+            $packed,
+            $threeMonths->format('D, d M Y H:i:s e'),
+            $threeMonths->getTimestamp() - $now->getTimestamp(),
+            self::domain(),
+            filter_has_var(INPUT_SERVER, 'HTTPS') ? ' Secure' : ''
+        ));
     }
 
     public static function nuke(): void {
-        setcookie('msz_auth', '', -9001, '/', self::domain(), !empty($_SERVER['HTTPS']), true);
+        header(sprintf(
+            'Set-Cookie: msz_auth=; Expires=Wed, 31 Dec 1969 21:29:59 UTC; Max-Age=-9001; Domain=%s; Path=/; SameSite=Lax; HttpOnly;%s',
+            self::domain(),
+            filter_has_var(INPUT_SERVER, 'HTTPS') ? ' Secure' : ''
+        ));
     }
 }