Added an option to allow usage in production without HTTPS

CHANGELOG.md

@@ -1,7 +1,8 @@
 # Changelog Fab-manager
 
 - Prevent admins from leaving their dedicated group
-- Downgraded faraday from 1.0 to 0.17 for better compatibility with elasticsearch-ruby 5 (#205 #196)
+- Faraday was downgraded from 1.0 to 0.17 for better compatibility with elasticsearch-ruby 5 (#205 #196)
+- Added an option to allow usage in production without HTTPS
 - Fix a bug: when an admin logs on the subscription page, his view is broken
 - Fix a bug: admin's members list shows the same members multiple times
 

config/initializers/session_store.rb

@@ -2,4 +2,6 @@
 
 # Be sure to restart your server when you modify this file.
 
-Rails.application.config.session_store :cookie_store, key: '_Fab-manager_session', secure: (Rails.env.production? || Rails.env.staging?)
+Rails.application.config.session_store :cookie_store,
+                                       key: '_Fab-manager_session',
+                                       secure: (Rails.env.production? || Rails.env.staging?) && !Rails.application.secrets.allow_insecure_http

config/secrets.yml

@@ -56,6 +56,7 @@ development:
   superadmin_email: <%= ENV["SUPERADMIN_EMAIL"] %>
   recaptcha_site_key: <%= ENV["RECAPTCHA_SITE_KEY"] %>
   recaptcha_secret_key: <%= ENV["RECAPTCHA_SECRET_KEY"] %>
+  allow_insecure_http: <%= ENV.fetch("ALLOW_INSECURE_HTTP", false) %>
 
 test:
   secret_key_base: 83daf5e7b80d990f037407bab78dff9904aaf3c195a50f84fa8695a22287e707dfbd9524b403b1dcf116ae1d8c06844c3d7ed942564e5b46be6ae3ead93a9d30
@@ -103,6 +104,7 @@ test:
   superadmin_email: <%= ENV["SUPERADMIN_EMAIL"] %>
   recaptcha_site_key: <%= ENV["RECAPTCHA_SITE_KEY"] %>
   recaptcha_secret_key: <%= ENV["RECAPTCHA_SECRET_KEY"] %>
+  allow_insecure_http: <%= ENV.fetch("ALLOW_INSECURE_HTTP", false) %>
 
 staging:
   secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>
@@ -160,6 +162,7 @@ staging:
   recaptcha_site_key: <%= ENV["RECAPTCHA_SITE_KEY"] %>
   recaptcha_secret_key: <%= ENV["RECAPTCHA_SECRET_KEY"] %>
   enable_in_context_translation: <%= ENV["ENABLE_IN_CONTEXT_TRANSLATION"] %>
+  allow_insecure_http: <%= ENV.fetch("ALLOW_INSECURE_HTTP", false) %>
 
 # Do not keep production secrets in the repository,
 # instead read values from the environment.
@@ -218,3 +221,4 @@ production:
   superadmin_email: <%= ENV["SUPERADMIN_EMAIL"] %>
   recaptcha_site_key: <%= ENV["RECAPTCHA_SITE_KEY"] %>
   recaptcha_secret_key: <%= ENV["RECAPTCHA_SECRET_KEY"] %>
+  allow_insecure_http: <%= ENV.fetch("ALLOW_INSECURE_HTTP", false) %>

doc/environment.md

@@ -265,6 +265,13 @@ You can change this behavior by setting this variable to one of the following va
 - "once" to keep the default behavior.
 - "session" to display the tours each time you reopen the application.
 - "manual" to prevent displaying the tours automatically; you'll still be able to trigger them by pressing the F1 key.
+<a name="ALLOW_INSECURE_HTTP"></a>
+
+    ALLOW_INSECURE_HTTP
+    
+In production and staging environments, the session cookie won't be sent to the server unless through the HTTPS protocol.
+If you're using Fab-manager on a non-public network or for testing purposes, you can disable this behavior by setting this variable to `true`.
+Please, ensure you know what you're doing, as this can lead to serious security issues. 
 
 <a name="internationalization-settings"></a>
 ## Internationalization setting.

env.example

@@ -71,6 +71,7 @@ SUMMERNOTE_LOCALE=fr-FR
 ANGULAR_LOCALE=fr-fr
 FULLCALENDAR_LOCALE=fr
 FORCE_VERSION_CHECK=false
+ALLOW_INSECURE_HTTP=false
 
 ELASTICSEARCH_LANGUAGE_ANALYZER=french
 

setup/env.example

@@ -72,6 +72,7 @@ NAVINUM_API_PASSWORD=
 LOG_LEVEL=debug
 DISK_SPACE_MB_ALERT='100'
 SUPERADMIN_EMAIL=
+ALLOW_INSECURE_HTTP=false
 
 
 ALLOWED_EXTENSIONS=pdf ai eps cad math svg stl dxf dwg obj step iges igs 3dm 3dmf doc docx png ino scad fcad skp sldprt sldasm slddrw slddrt tex latex ps fcstd fcstd1