feat: digitally sign and verify cookie using randomly generated key

2 files changed, 3 insertions, 2 deletions

diff --git a/app/controllers/sessions/controller_test.go b/app/controllers/sessions/controller_test.go
index a29041e..a1158da 100644
--- a/app/controllers/sessions/controller_test.go
+++ b/app/controllers/sessions/controller_test.go
@@ -127,7 +127,7 @@ func TestSessions(t *testing.T) {
 			cookie, err := http.ParseSetCookie(w.Header().Get("Set-Cookie"))
 			require.NoError(t, err)
 			require.NotZero(t, cookie)
-			data, err := base64.URLEncoding.DecodeString(cookie.Value)
+			data, err := base64.URLEncoding.DecodeString(web.CookieValueFrom(cookie))
 			require.NoError(t, err)
 			tokens := map[string]interface{}{}
 			require.NoError(t, json.Unmarshal(data, &tokens))
diff --git a/app/controllers/sessions/service.go b/app/controllers/sessions/service.go
index 0ee692a..af1512c 100644
--- a/app/controllers/sessions/service.go
+++ b/app/controllers/sessions/service.go
@@ -7,6 +7,7 @@ import (
 
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/oidc"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/pls"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/web"
 	"golang.org/x/oauth2"
 )
 
@@ -38,7 +39,7 @@ func (svc *Service) Exchange(r *http.Request) (*oidc.Tokens, error) {
 	}
 
 	state := r.URL.Query().Get("state")
-	if state != cookies[0].Value {
+	if state != web.CookieValueFrom(cookies[0]) {
 		return nil, errors.New("Invalid CSRF token")
 	}