use secure=True when options.disable_http_login is enabled

We'll piggyback off of the current existing configuration item,
`disable_http_login`, to decide how we should submit cookies to
an HTTP response.

Previously, in `sso.py`, the http schema was used to make this
decision. There is an issue with that, however: We cannot actually
test properly if we depend on the https schema.

This change allows us to toggle `disable_http_login` to modify
the behavior of cookies sent with an http response to be secure.

We test this behavior in test/test_auth_routes.py#L81:
`test_secure_login(mock)`.

Signed-off-by: Kevin Morris <kevr@0cost.org>

aurweb/routers/html.py

@@ -6,6 +6,8 @@ from http import HTTPStatus
 from fastapi import APIRouter, Form, HTTPException, Request
 from fastapi.responses import HTMLResponse, RedirectResponse
 
+import aurweb.config
+
 from aurweb.templates import make_context, render_template
 
 router = APIRouter()
@@ -45,7 +47,9 @@ async def language(request: Request,
     # In any case, set the response's AURLANG cookie that never expires.
     response = RedirectResponse(url=f"{next}{query_string}",
                                 status_code=int(HTTPStatus.SEE_OTHER))
-    response.set_cookie("AURLANG", set_lang)
+    secure_cookies = aurweb.config.getboolean("options", "disable_http_login")
+    response.set_cookie("AURLANG", set_lang,
+                        secure=secure_cookies, httponly=True)
     return response