cookie: enabled / disabled.

internal/api/router.go

@@ -70,7 +70,10 @@ func (api *ApiManagerCtx) Authenticate(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		session, err := api.sessions.Authenticate(r)
 		if err != nil {
-			api.sessions.CookieClearToken(w, r)
+			if api.sessions.CookieEnabled() {
+				api.sessions.CookieClearToken(w, r)
+			}
+
 			utils.HttpUnauthorized(w, err)
 			return
 		}

internal/api/session.go

@@ -15,6 +15,7 @@ type SessionLoginPayload struct {
 
 type SessionDataPayload struct {
 	ID      string              `json:"id"`
+	Token   string              `json:"token,omitempty"`
 	Profile types.MemberProfile `json:"profile"`
 	State   types.SessionState  `json:"state"`
 }
@@ -31,13 +32,19 @@ func (api *ApiManagerCtx) Login(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	api.sessions.CookieSetToken(w, token)
-
-	utils.HttpSuccess(w, SessionDataPayload{
+	sessionData := SessionDataPayload{
 		ID:      session.ID(),
 		Profile: session.Profile(),
 		State:   session.State(),
-	})
+	}
+
+	if api.sessions.CookieEnabled() {
+		api.sessions.CookieSetToken(w, token)
+	} else {
+		sessionData.Token = token
+	}
+
+	utils.HttpSuccess(w, sessionData)
 }
 
 func (api *ApiManagerCtx) Logout(w http.ResponseWriter, r *http.Request) {
@@ -49,7 +56,9 @@ func (api *ApiManagerCtx) Logout(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	api.sessions.CookieClearToken(w, r)
+	if api.sessions.CookieEnabled() {
+		api.sessions.CookieClearToken(w, r)
+	}
 
 	utils.HttpSuccess(w, true)
 }

internal/config/session.go

@@ -11,6 +11,7 @@ type Session struct {
 	ImplicitHosting bool
 	APIToken        string
 
+	CookieEnabled    bool
 	CookieName       string
 	CookieExpiration time.Time
 	CookieSecure     bool
@@ -28,6 +29,11 @@ func (Session) Init(cmd *cobra.Command) error {
 	}
 
 	// cookie
+	cmd.PersistentFlags().Bool("session.cookie.enabled", true, "whether cookies authentication should be enabled")
+	if err := viper.BindPFlag("session.cookie.enabled", cmd.PersistentFlags().Lookup("session.cookie.enabled")); err != nil {
+		return err
+	}
+
 	cmd.PersistentFlags().String("session.cookie.name", "NEKO_SESSION", "name of the cookie that holds token")
 	if err := viper.BindPFlag("session.cookie.name", cmd.PersistentFlags().Lookup("session.cookie.name")); err != nil {
 		return err
@@ -50,6 +56,7 @@ func (s *Session) Set() {
 	s.ImplicitHosting = viper.GetBool("session.implicit_hosting")
 	s.APIToken = viper.GetString("session.api_token")
 
+	s.CookieEnabled = viper.GetBool("session.cookie.enabled")
 	s.CookieName = viper.GetString("session.cookie.name")
 	s.CookieExpiration = time.Now().Add(time.Duration(viper.GetInt("session.cookie.expiration")) * time.Hour)
 	s.CookieSecure = viper.GetBool("session.cookie.secure")

internal/session/manager.go

@@ -300,3 +300,7 @@ func (manager *SessionManagerCtx) OnHostChanged(listener func(session types.Sess
 func (manager *SessionManagerCtx) ImplicitHosting() bool {
 	return manager.config.ImplicitHosting
 }
+
+func (manager *SessionManagerCtx) CookieEnabled() bool {
+	return manager.config.CookieEnabled
+}

internal/types/session.go

@@ -49,6 +49,7 @@ type SessionManager interface {
 	OnHostChanged(listener func(session Session))
 
 	ImplicitHosting() bool
+	CookieEnabled() bool
 
 	CookieSetToken(w http.ResponseWriter, token string)
 	CookieClearToken(w http.ResponseWriter, r *http.Request)