From a4a333dc4fa485f55c55cf9c0207fb5753bef101 Mon Sep 17 00:00:00 2001
From: George Barbarosie <george.barbarosie@gmail.com>
Date: Wed, 3 Mar 2021 12:14:42 +0000
Subject: [PATCH] fix https_only behaviour: - read from ini-file unless
 overridden from parameter - convert from string to bool, required for
 ini-file setting

---
 src/pyramid_jwt/__init__.py | 2 +-
 src/pyramid_jwt/policy.py   | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/pyramid_jwt/__init__.py b/src/pyramid_jwt/__init__.py
index c0b633f..f3fd413 100644
--- a/src/pyramid_jwt/__init__.py
+++ b/src/pyramid_jwt/__init__.py
@@ -93,7 +93,7 @@ def set_jwt_cookie_authentication_policy(
     json_encoder=None,
     audience=None,
     cookie_name=None,
-    https_only=True,
+    https_only=None,
     reissue_time=None,
     cookie_path=None,
 ):
diff --git a/src/pyramid_jwt/policy.py b/src/pyramid_jwt/policy.py
index 214d586..3c73b9b 100644
--- a/src/pyramid_jwt/policy.py
+++ b/src/pyramid_jwt/policy.py
@@ -6,6 +6,7 @@
 
 import jwt
 from pyramid.renderers import JSON
+from pyramid.settings import asbool
 from webob.cookies import CookieProfile
 from zope.interface import implementer
 from pyramid.authentication import CallbackAuthenticationPolicy
@@ -187,7 +188,7 @@ def __init__(
             audience,
         )
 
-        self.https_only = https_only
+        self.https_only = asbool(https_only)
         self.cookie_name = cookie_name or "Authorization"
         self.max_age = self.expiration and self.expiration.total_seconds()