From 0f4c3518d3b0e7437b70bc31de4e64e7644c2d28 Mon Sep 17 00:00:00 2001
From: sabaimran <narmiabas@gmail.com>
Date: Mon, 29 Apr 2024 15:48:45 +0530
Subject: [PATCH] Allow session cookies to be stored with a lax policy for some
 localhost scenarios

---
 src/khoj/app/settings.py | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/src/khoj/app/settings.py b/src/khoj/app/settings.py
index 42ff8ad0..27be968e 100644
--- a/src/khoj/app/settings.py
+++ b/src/khoj/app/settings.py
@@ -40,6 +40,8 @@ CSRF_TRUSTED_ORIGINS = [
     f"https://app.{KHOJ_DOMAIN}",
 ]
 
+DISABLE_HTTPS = is_env_var_true("KHOJ_NO_HTTPS")
+
 COOKIE_SAMESITE = "None"
 if DEBUG or os.getenv("KHOJ_DOMAIN") == None:
     SESSION_COOKIE_DOMAIN = "localhost"
@@ -48,13 +50,21 @@ else:
     # Production Settings
     SESSION_COOKIE_DOMAIN = KHOJ_DOMAIN
     CSRF_COOKIE_DOMAIN = KHOJ_DOMAIN
-    if not is_env_var_true("KHOJ_NO_HTTPS"):
+    if not DISABLE_HTTPS:
         SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")
 
-SESSION_COOKIE_SECURE = not is_env_var_true("KHOJ_NO_HTTPS")
-CSRF_COOKIE_SECURE = not is_env_var_true("KHOJ_NO_HTTPS")
-COOKIE_SAMESITE = "None"
-SESSION_COOKIE_SAMESITE = "None"
+if DISABLE_HTTPS:
+    SESSION_COOKIE_SECURE = False
+    CSRF_COOKIE_SECURE = False
+
+    # These need to be set to Lax in order to work with http in some browsers. See reference: https://docs.djangoproject.com/en/5.0/ref/settings/#std-setting-SESSION_COOKIE_SECURE
+    COOKIE_SAMESITE = "Lax"
+    SESSION_COOKIE_SAMESITE = "Lax"
+else:
+    SESSION_COOKIE_SECURE = True
+    CSRF_COOKIE_SECURE = True
+    COOKIE_SAMESITE = "None"
+    SESSION_COOKIE_SAMESITE = "None"
 
 # Application definition