feat: use a cookie prefix to lock down the session cookie

> __Host-: If a cookie name has this prefix, it's accepted in a > Set-Cookie header only if it's also marked with the Secure attribute, > was sent from a secure origin, does not include a Domain attribute, > and has the Path attribute set to /. In other words, the cookie is > domain-locked. https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#cookie_prefixes
author: mo khan <mo@mokhan.ca> 2025-05-08 09:53:24 -0600
committer: mo khan <mo@mokhan.ca> 2025-05-08 09:53:24 -0600
commit: b7a520b8ef410d422db653d2680a2aafe3341013 (patch)
tree: 30a2a8f278684f006bbb846cbdd560c9080bcfaf /app/middleware
parent: e9b9d1058504f8331bf03e6168074ef7cedab519 (diff)
3 files changed, 5 insertions, 4 deletions
diff --git a/app/middleware/id_token.go b/app/middleware/id_token.go
index 5a44f49..e0b5b0d 100644
--- a/app/middleware/id_token.go
+++ b/app/middleware/id_token.go
@@ -21,7 +21,7 @@ func IDToken(cfg *oidc.OpenID, parsers ...TokenParser) func(http.Handler) http.H
 
 					if err != nil {
 						pls.LogError(r.Context(), err)
-						web.ExpireCookie(w, "session")
+						web.ExpireCookie(w, xcfg.SessionCookie)
 					} else {
 						log.WithFields(r.Context(), log.Fields{"id_token": idToken})
 						next.ServeHTTP(
diff --git a/app/middleware/id_token_test.go b/app/middleware/id_token_test.go
index 95d9b40..31a4333 100644
--- a/app/middleware/id_token_test.go
+++ b/app/middleware/id_token_test.go
@@ -55,7 +55,7 @@ func TestIDToken(t *testing.T) {
 			r, w := test.RequestResponse(
 				"GET",
 				"/example",
-				test.WithCookie(web.NewCookie("session", encoded)),
+				test.WithCookie(web.NewCookie(xcfg.SessionCookie, encoded)),
 			)
 			server.ServeHTTP(w, r)
 
@@ -74,7 +74,7 @@ func TestIDToken(t *testing.T) {
 			r, w := test.RequestResponse(
 				"GET",
 				"/example",
-				test.WithCookie(web.NewCookie("session", "invalid")),
+				test.WithCookie(web.NewCookie(xcfg.SessionCookie, "invalid")),
 			)
 			server.ServeHTTP(w, r)
 
diff --git a/app/middleware/token_parser.go b/app/middleware/token_parser.go
index f64522b..08219b4 100644
--- a/app/middleware/token_parser.go
+++ b/app/middleware/token_parser.go
@@ -4,6 +4,7 @@ import (
 	"net/http"
 
 	"github.com/xlgmokha/x/pkg/x"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/cfg"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/oidc"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/pls"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/web"
@@ -12,7 +13,7 @@ import (
 type TokenParser x.Mapper[*http.Request, oidc.RawToken]
 
 func IDTokenFromSessionCookie(r *http.Request) oidc.RawToken {
-	cookies := r.CookiesNamed("session")
+	cookies := r.CookiesNamed(cfg.SessionCookie)
 
 	if len(cookies) != 1 {
 		return ""
author	mo khan <mo@mokhan.ca>	2025-05-08 09:53:24 -0600
committer	mo khan <mo@mokhan.ca>	2025-05-08 09:53:24 -0600
commit	b7a520b8ef410d422db653d2680a2aafe3341013 (patch)
tree	30a2a8f278684f006bbb846cbdd560c9080bcfaf /app/middleware
parent	e9b9d1058504f8331bf03e6168074ef7cedab519 (diff)