diff options
| author | mo khan <mo@mokhan.ca> | 2025-04-29 09:02:47 -0600 |
|---|---|---|
| committer | mo khan <mo@mokhan.ca> | 2025-04-29 09:02:47 -0600 |
| commit | 65389b93922e193be8769609e29fff6243147a9c (patch) | |
| tree | ce0eb5300c4ab281bac6f30832d8ae1e0b2fe9eb /app/controllers | |
| parent | 9b6982dd53c16b6ec7d333e621429781ac1653f7 (diff) | |
Use secure and http flag on cookies everywhere
> A cookie with the Secure attribute is only sent to the server with
> an encrypted request over the HTTPS protocol. It's never sent with
> unsecured HTTP (except on localhost), which means man-in-the-middle
> attackers can't access it easily. Insecure sites (with http: in the
> URL) can't set cookies with the Secure attribute. However, don't
> assume that Secure prevents all access to sensitive information in
> cookies. For example, someone with access to the client's hard disk
> (or JavaScript if the HttpOnly attribute isn't set) can read and
> modify the information.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#block_access_to_your_cookies
Diffstat (limited to 'app/controllers')
| -rw-r--r-- | app/controllers/sessions/controller_test.go | 11 |
1 files changed, 2 insertions, 9 deletions
diff --git a/app/controllers/sessions/controller_test.go b/app/controllers/sessions/controller_test.go index c0c1de2..9ece4f9 100644 --- a/app/controllers/sessions/controller_test.go +++ b/app/controllers/sessions/controller_test.go @@ -11,7 +11,6 @@ import ( "github.com/oauth2-proxy/mockoidc" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/xlgmokha/x/pkg/x" xcfg "gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/cfg" "gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/domain" "gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/oidc" @@ -62,11 +61,8 @@ func TestSessions(t *testing.T) { cookieHeader := w.Header().Get("Set-Cookie") require.NotEmpty(t, cookieHeader) - cookies, err := http.ParseCookie(cookieHeader) + cookie, err := http.ParseSetCookie(w.Header().Get("Set-Cookie")) require.NoError(t, err) - cookie := x.Find(cookies, func(item *http.Cookie) bool { - return item.Name == "oauth_state" - }) require.NotZero(t, cookie) }) }) @@ -126,11 +122,8 @@ func TestSessions(t *testing.T) { mux.ServeHTTP(w, r) - cookies, err := http.ParseCookie(w.Header().Get("Set-Cookie")) + cookie, err := http.ParseSetCookie(w.Header().Get("Set-Cookie")) require.NoError(t, err) - cookie := x.Find(cookies, func(item *http.Cookie) bool { - return item.Name == "session" - }) require.NotZero(t, cookie) data, err := base64.URLEncoding.DecodeString(cookie.Value) require.NoError(t, err) |