feat: create session cookie tied to access token

1 files changed, 12 insertions, 5 deletions

diff --git a/app/controllers/sessions/controller.go b/app/controllers/sessions/controller.go
index d526a86..1ceb9ec 100644
--- a/app/controllers/sessions/controller.go
+++ b/app/controllers/sessions/controller.go
@@ -1,18 +1,24 @@
 package sessions
 
 import (
+	"context"
 	"net/http"
 
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/oidc"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/web/cookie"
 	"golang.org/x/oauth2"
 )
 
 type Controller struct {
-	cfg *oidc.OpenID
+	cfg  *oidc.OpenID
+	http *http.Client
 }
 
-func New(cfg *oidc.OpenID) *Controller {
-	return &Controller{cfg: cfg}
+func New(cfg *oidc.OpenID, http *http.Client) *Controller {
+	return &Controller{
+		cfg:  cfg,
+		http: http,
+	}
 }
 
 func (c *Controller) MountTo(mux *http.ServeMux) {
@@ -27,7 +33,8 @@ func (c *Controller) New(w http.ResponseWriter, r *http.Request) {
 }
 
 func (c *Controller) Create(w http.ResponseWriter, r *http.Request) {
-	token, err := c.cfg.Config.Exchange(r.Context(), r.URL.Query().Get("code"))
+	ctx := context.WithValue(r.Context(), oauth2.HTTPClient, c.http)
+	token, err := c.cfg.Config.Exchange(ctx, r.URL.Query().Get("code"))
 	if err != nil {
 		w.WriteHeader(http.StatusBadRequest)
 		return
@@ -44,6 +51,6 @@ func (c *Controller) Create(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	http.SetCookie(w, &http.Cookie{Name: "session", Value: encoded})
+	http.SetCookie(w, cookie.New("session", encoded, tokens.Expiry))
 	http.Redirect(w, r, "/dashboard", http.StatusFound)
 }