haskell-servant · AliasQli · Mar 12, 2021
diff --git a/servant-auth-server/src/Servant/Auth/Server/Internal.hs b/servant-auth-server/src/Servant/Auth/Server/Internal.hs
@@ -53,16 +53,18 @@ instance ( n ~ 'S ('S 'Z)
       cookieSettings = getContextEntry context
 
       makeCookies :: AuthResult v -> IO (SetCookieList ('S ('S 'Z)))
-      makeCookies authResult = do
-        xsrf <- makeXsrfCookie cookieSettings
-        fmap (Just xsrf `SetCookieCons`) $
-          case authResult of
-            (Authenticated v) -> do
-              ejwt <- makeSessionCookie cookieSettings jwtSettings v
-              case ejwt of
-                Nothing  -> return $ Nothing `SetCookieCons` SetCookieNil
-                Just jwt -> return $ Just jwt `SetCookieCons` SetCookieNil
-            _ -> return $ Nothing `SetCookieCons` SetCookieNil
+      makeCookies authResult = if cookieIsUsed cookieSettings
+        then do
+          xsrf <- makeXsrfCookie cookieSettings
+          fmap (Just xsrf `SetCookieCons`) $
+            case authResult of
+              (Authenticated v) -> do
+                ejwt <- makeSessionCookie cookieSettings jwtSettings v
+                case ejwt of
+                  Nothing  -> return $ Nothing `SetCookieCons` SetCookieNil
+                  Just jwt -> return $ Just jwt `SetCookieCons` SetCookieNil
+              _ -> return $ Nothing `SetCookieCons` SetCookieNil
+        else return $ Nothing `SetCookieCons` (Nothing `SetCookieCons` SetCookieNil)
 
       go :: (AuthResult v -> ServerT api Handler)
          -> (AuthResult v, SetCookieList n)

diff --git a/servant-auth-server/src/Servant/Auth/Server/Internal/ConfigTypes.hs b/servant-auth-server/src/Servant/Auth/Server/Internal/ConfigTypes.hs
@@ -57,9 +57,11 @@ defaultJWTSettings k = JWTSettings
 -- not testing over HTTPS.
 data CookieSettings = CookieSettings
   {
+  -- | If any "Set-Cookie" header will be generated. Default: @True@.
+    cookieIsUsed      :: !Bool
   -- | 'Secure' means browsers will only send cookies over HTTPS. Default:
   -- @Secure@.
-    cookieIsSecure    :: !IsSecure
+  , cookieIsSecure    :: !IsSecure
   -- | How long from now until the cookie expires. Default: @Nothing@.
   , cookieMaxAge      :: !(Maybe DiffTime)
   -- | At what time the cookie expires. Default: @Nothing@.
@@ -81,7 +83,8 @@ instance Default CookieSettings where
 
 defaultCookieSettings :: CookieSettings
 defaultCookieSettings = CookieSettings
-    { cookieIsSecure    = Secure
+    { cookieIsUsed      = True
+    , cookieIsSecure    = Secure
     , cookieMaxAge      = Nothing
     , cookieExpires     = Nothing
     , cookiePath        = Just "/"