feat: use a cookie prefix to lock down the session cookie

> __Host-: If a cookie name has this prefix, it's accepted in a > Set-Cookie header only if it's also marked with the Secure attribute, > was sent from a secure origin, does not include a Domain attribute, > and has the Path attribute set to /. In other words, the cookie is > domain-locked. https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#cookie_prefixes
author: mo khan <mo@mokhan.ca> 2025-05-08 09:53:24 -0600
committer: mo khan <mo@mokhan.ca> 2025-05-08 09:53:24 -0600
commit: b7a520b8ef410d422db653d2680a2aafe3341013 (patch)
tree: 30a2a8f278684f006bbb846cbdd560c9080bcfaf /app/middleware/token_parser.go
parent: e9b9d1058504f8331bf03e6168074ef7cedab519 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/app/middleware/token_parser.go b/app/middleware/token_parser.go
index f64522b..08219b4 100644
--- a/app/middleware/token_parser.go
+++ b/app/middleware/token_parser.go
@@ -4,6 +4,7 @@ import (
 	"net/http"
 
 	"github.com/xlgmokha/x/pkg/x"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/cfg"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/oidc"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/pls"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/web"
@@ -12,7 +13,7 @@ import (
 type TokenParser x.Mapper[*http.Request, oidc.RawToken]
 
 func IDTokenFromSessionCookie(r *http.Request) oidc.RawToken {
-	cookies := r.CookiesNamed("session")
+	cookies := r.CookiesNamed(cfg.SessionCookie)
 
 	if len(cookies) != 1 {
 		return ""
author	mo khan <mo@mokhan.ca>	2025-05-08 09:53:24 -0600
committer	mo khan <mo@mokhan.ca>	2025-05-08 09:53:24 -0600
commit	b7a520b8ef410d422db653d2680a2aafe3341013 (patch)
tree	30a2a8f278684f006bbb846cbdd560c9080bcfaf /app/middleware/token_parser.go
parent	e9b9d1058504f8331bf03e6168074ef7cedab519 (diff)