feat: use a cookie prefix to lock down the session cookie

> __Host-: If a cookie name has this prefix, it's accepted in a > Set-Cookie header only if it's also marked with the Secure attribute, > was sent from a secure origin, does not include a Domain attribute, > and has the Path attribute set to /. In other words, the cookie is > domain-locked. https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#cookie_prefixes
author: mo khan <mo@mokhan.ca> 2025-05-08 09:53:24 -0600
committer: mo khan <mo@mokhan.ca> 2025-05-08 09:53:24 -0600
commit: b7a520b8ef410d422db653d2680a2aafe3341013 (patch)
tree: 30a2a8f278684f006bbb846cbdd560c9080bcfaf /app/controllers/sessions
parent: e9b9d1058504f8331bf03e6168074ef7cedab519 (diff)
4 files changed, 14 insertions, 12 deletions
diff --git a/app/controllers/sessions/controller.go b/app/controllers/sessions/controller.go
index 7860ed5..61fdaf8 100644
--- a/app/controllers/sessions/controller.go
+++ b/app/controllers/sessions/controller.go
@@ -6,6 +6,7 @@ import (
 
 	"github.com/xlgmokha/x/pkg/cookie"
 	"github.com/xlgmokha/x/pkg/log"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/cfg"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/middleware"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/oidc"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/pls"
@@ -37,7 +38,7 @@ func (c *Controller) New(w http.ResponseWriter, r *http.Request) {
 	url, nonce := c.svc.GenerateRedirectURL()
 	// This cookie must be sent as part of a redirect that originates from the OIDC Provider
 	cookie.Write(w, web.NewCookie(
-		"oauth_state",
+		cfg.CSRFCookie,
 		nonce,
 		cookie.WithSameSite(http.SameSiteLaxMode),
 		cookie.WithExpiration(time.Now().Add(10*time.Minute)),
@@ -140,7 +141,7 @@ func (c *Controller) Create(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	ck := web.NewCookie("session", encoded,
+	ck := web.NewCookie(cfg.SessionCookie, encoded,
 		cookie.WithSameSite(http.SameSiteLaxMode),
 		cookie.WithExpiration(tokens.Expiry),
 	)
diff --git a/app/controllers/sessions/controller_test.go b/app/controllers/sessions/controller_test.go
index 4b68c7a..82c56d5 100644
--- a/app/controllers/sessions/controller_test.go
+++ b/app/controllers/sessions/controller_test.go
@@ -95,7 +95,7 @@ func TestSessions(t *testing.T) {
 			r, w := test.RequestResponse(
 				"GET",
 				"/session/callback?code="+code+"&state=invalid",
-				test.WithCookie(web.NewCookie("oauth_state", nonce)),
+				test.WithCookie(web.NewCookie(xcfg.CSRFCookie, nonce)),
 			)
 
 			mux.ServeHTTP(w, r)
@@ -119,7 +119,7 @@ func TestSessions(t *testing.T) {
 			r, w := test.RequestResponse(
 				"GET",
 				"/session/callback?code="+code+"&state="+nonce,
-				test.WithCookie(web.NewCookie("oauth_state", nonce)),
+				test.WithCookie(web.NewCookie(xcfg.CSRFCookie, nonce)),
 			)
 
 			mux.ServeHTTP(w, r)
@@ -176,8 +176,7 @@ func TestSessions(t *testing.T) {
 
 			t.Run("applies the appropriate cookie settings", func(t *testing.T) {
 				assert.Equal(t, "/", cookie.Path)
-				assert.Equal(t, "localhost", cookie.Domain)
-				assert.Equal(t, "session", cookie.Name)
+				assert.Equal(t, xcfg.SessionCookie, cookie.Name)
 				assert.Equal(t, http.SameSiteLaxMode, cookie.SameSite)
 				assert.Equal(t, x.Must(time.Parse(time.RFC3339, tokens["expiry"].(string))).Unix(), cookie.Expires.Unix())
 				assert.True(t, cookie.HttpOnly)
@@ -189,14 +188,14 @@ func TestSessions(t *testing.T) {
 
 	t.Run("POST /session/destroy", func(t *testing.T) {
 		t.Run("clears the session cookie", func(t *testing.T) {
-			cookie := web.NewCookie("session", "value")
+			cookie := web.NewCookie(xcfg.SessionCookie, "value")
 			r, w := test.RequestResponse("POST", "/session/destroy", test.WithCookie(cookie))
 
 			mux.ServeHTTP(w, r)
 
 			require.Equal(t, http.StatusFound, w.Code)
 			assert.Equal(t, "/", w.Header().Get("Location"))
-			assert.Equal(t, "session=; Path=/; Domain=localhost; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Max-Age=0; HttpOnly; Secure", w.Header().Get("Set-Cookie"))
+			assert.Equal(t, "session=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Max-Age=0; HttpOnly; Secure", w.Header().Get("Set-Cookie"))
 		})
 	})
 }
diff --git a/app/controllers/sessions/service.go b/app/controllers/sessions/service.go
index af1512c..2dec9e3 100644
--- a/app/controllers/sessions/service.go
+++ b/app/controllers/sessions/service.go
@@ -5,6 +5,7 @@ import (
 	"errors"
 	"net/http"
 
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/cfg"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/oidc"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/pls"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/web"
@@ -33,7 +34,7 @@ func (svc *Service) GenerateRedirectURL() (string, string) {
 }
 
 func (svc *Service) Exchange(r *http.Request) (*oidc.Tokens, error) {
-	cookies := r.CookiesNamed("oauth_state")
+	cookies := r.CookiesNamed(cfg.CSRFCookie)
 	if len(cookies) != 1 {
 		return nil, errors.New("Missing CSRF token")
 	}
diff --git a/app/controllers/sessions/service_test.go b/app/controllers/sessions/service_test.go
index 81248ca..4bea1dd 100644
--- a/app/controllers/sessions/service_test.go
+++ b/app/controllers/sessions/service_test.go
@@ -8,6 +8,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/xlgmokha/x/pkg/test"
+	xcfg "gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/cfg"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/oidc"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/pls"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/web"
@@ -46,7 +47,7 @@ func TestService(t *testing.T) {
 			r := test.Request(
 				"GET",
 				"/session/callback?code="+code+"&state=invalid",
-				test.WithCookie(web.NewCookie("oauth_state", nonce)),
+				test.WithCookie(web.NewCookie(xcfg.CSRFCookie, nonce)),
 			)
 			tokens, err := svc.Exchange(r)
 
@@ -59,7 +60,7 @@ func TestService(t *testing.T) {
 
 			r := test.Request(
 				"GET", "/session/callback?code=invalid",
-				test.WithCookie(web.NewCookie("oauth_state", nonce)),
+				test.WithCookie(web.NewCookie(xcfg.CSRFCookie, nonce)),
 			)
 
 			tokens, err := svc.Exchange(r)
@@ -76,7 +77,7 @@ func TestService(t *testing.T) {
 			r := test.Request(
 				"GET",
 				"/session/callback?code="+code+"&state="+nonce,
-				test.WithCookie(web.NewCookie("oauth_state", nonce)),
+				test.WithCookie(web.NewCookie(xcfg.CSRFCookie, nonce)),
 			)
 
 			tokens, err := svc.Exchange(r)
author	mo khan <mo@mokhan.ca>	2025-05-08 09:53:24 -0600
committer	mo khan <mo@mokhan.ca>	2025-05-08 09:53:24 -0600
commit	b7a520b8ef410d422db653d2680a2aafe3341013 (patch)
tree	30a2a8f278684f006bbb846cbdd560c9080bcfaf /app/controllers/sessions
parent	e9b9d1058504f8331bf03e6168074ef7cedab519 (diff)