use secure=True when options.disable_http_login is enabled

We'll piggyback off of the current existing configuration item,
`disable_http_login`, to decide how we should submit cookies to
an HTTP response.

Previously, in `sso.py`, the http schema was used to make this
decision. There is an issue with that, however: We cannot actually
test properly if we depend on the https schema.

This change allows us to toggle `disable_http_login` to modify
the behavior of cookies sent with an http response to be secure.

We test this behavior in test/test_auth_routes.py#L81:
`test_secure_login(mock)`.

Signed-off-by: Kevin Morris <kevr@0cost.org>

aurweb/routers/sso.py

@@ -131,13 +131,15 @@ async def authenticate(request: Request, redirect: str = None, conn=Depends(aurw
     elif len(aur_accounts) == 1:
         sid = open_session(request, conn, aur_accounts[0][Users.c.ID])
         response = RedirectResponse(redirect if redirect and is_aur_url(redirect) else "/")
+        secure_cookies = aurweb.config.getboolean("options", "disable_http_login")
         response.set_cookie(key="AURSID", value=sid, httponly=True,
-                            secure=request.url.scheme == "https")
+                            secure=secure_cookies)
         if "id_token" in token:
             # We save the id_token for the SSO logout. It’s not too important
             # though, so if we can’t find it, we can live without it.
-            response.set_cookie(key="SSO_ID_TOKEN", value=token["id_token"], path="/sso/",
-                                httponly=True, secure=request.url.scheme == "https")
+            response.set_cookie(key="SSO_ID_TOKEN", value=token["id_token"],
+                                path="/sso/", httponly=True,
+                                secure=secure_cookies)
         return response
     else:
         # We’ve got a severe integrity violation.