diff options
| author | mo khan <mo@mokhan.ca> | 2025-04-29 08:46:49 -0600 |
|---|---|---|
| committer | mo khan <mo@mokhan.ca> | 2025-04-29 08:46:49 -0600 |
| commit | 9b6982dd53c16b6ec7d333e621429781ac1653f7 (patch) | |
| tree | e7680ac53cf6398c9dec064f22712e01f7edee93 | |
| parent | 3b2d79aad75c84a4f807b08f861232077d097e5b (diff) | |
feat: ensure cookie is not accessible to js and one transmitted over tls in production
| -rw-r--r-- | .env | 1 | ||||
| -rw-r--r-- | .runway/env-production.yml | 1 | ||||
| -rw-r--r-- | .runway/env-staging.yml | 1 | ||||
| -rw-r--r-- | pkg/web/cookie/cookie_test.go | 4 | ||||
| -rw-r--r-- | pkg/web/cookie/new.go | 15 |
5 files changed, 14 insertions, 8 deletions
@@ -1,3 +1,4 @@ +APP_ENV=development BIND_ADDR=:8080 HOST=localhost OAUTH_CLIENT_ID=client_id diff --git a/.runway/env-production.yml b/.runway/env-production.yml index 38f9e5d..9c1f873 100644 --- a/.runway/env-production.yml +++ b/.runway/env-production.yml @@ -1,3 +1,4 @@ +APP_ENV: "production" HOST: "sparkle.runway.gitlab.net" OAUTH_CLIENT_ID: "75656280b7ca60223b060b57c4eb98a8a324878531efeccafc1d25709dbee5c9" OAUTH_REDIRECT_URL: "https://sparkle.runway.gitlab.net/session/callback" diff --git a/.runway/env-staging.yml b/.runway/env-staging.yml index e89fee4..66df510 100644 --- a/.runway/env-staging.yml +++ b/.runway/env-staging.yml @@ -1,3 +1,4 @@ +APP_ENV: "production" HOST: "sparkle.staging.runway.gitlab.net" OAUTH_CLIENT_ID: "786e37c8d2207d200f735379ad52579c452948222f9affc7a45e74bd7074ad3c" OAUTH_REDIRECT_URL: "https://sparkle.staging.runway.gitlab.net/session/callback" diff --git a/pkg/web/cookie/cookie_test.go b/pkg/web/cookie/cookie_test.go index 17e3d88..c91efdc 100644 --- a/pkg/web/cookie/cookie_test.go +++ b/pkg/web/cookie/cookie_test.go @@ -11,9 +11,11 @@ import ( func TestCookie(t *testing.T) { t.Run("New", func(t *testing.T) { t.Run("returns a cookie pinned to the HOST", func(t *testing.T) { - env.With(env.Vars{"HOST": "sparkle.example.com"}, func() { + env.With(env.Vars{"HOST": "sparkle.example.com", "APP_ENV": "production"}, func() { cookie := New("name", "value", time.Now().Add(1*time.Minute)) assert.Equal(t, cookie.Domain, "sparkle.example.com") + assert.Equal(t, cookie.HttpOnly, true) + assert.Equal(t, cookie.Secure, true) }) }) }) diff --git a/pkg/web/cookie/new.go b/pkg/web/cookie/new.go index 2809640..e1d8477 100644 --- a/pkg/web/cookie/new.go +++ b/pkg/web/cookie/new.go @@ -8,14 +8,15 @@ import ( ) func New(name, value string, expires time.Time) *http.Cookie { + production := env.Fetch("APP_ENV", "development") == "production" return &http.Cookie{ - Name: name, - Value: value, // TODO:: digitally sign the value - Expires: expires, - MaxAge: int(time.Until(expires).Seconds()), - Path: "/", - // HttpOnly: true, - // Secure: true, + Name: name, + Value: value, // TODO:: digitally sign the value + Expires: expires, + MaxAge: int(time.Until(expires).Seconds()), + Path: "/", + HttpOnly: production, + Secure: production, SameSite: http.SameSiteDefaultMode, Domain: env.Fetch("HOST", "localhost"), } |