summaryrefslogtreecommitdiff
path: root/pkg/web/cookie_test.go
diff options
context:
space:
mode:
authormo khan <mo@mokhan.ca>2025-05-08 09:53:24 -0600
committermo khan <mo@mokhan.ca>2025-05-08 09:53:24 -0600
commitb7a520b8ef410d422db653d2680a2aafe3341013 (patch)
tree30a2a8f278684f006bbb846cbdd560c9080bcfaf /pkg/web/cookie_test.go
parente9b9d1058504f8331bf03e6168074ef7cedab519 (diff)
feat: use a cookie prefix to lock down the session cookie
> __Host-: If a cookie name has this prefix, it's accepted in a > Set-Cookie header only if it's also marked with the Secure attribute, > was sent from a secure origin, does not include a Domain attribute, > and has the Path attribute set to /. In other words, the cookie is > domain-locked. https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#cookie_prefixes
Diffstat (limited to 'pkg/web/cookie_test.go')
-rw-r--r--pkg/web/cookie_test.go34
1 files changed, 13 insertions, 21 deletions
diff --git a/pkg/web/cookie_test.go b/pkg/web/cookie_test.go
index 60cf7cf..1a3bfb0 100644
--- a/pkg/web/cookie_test.go
+++ b/pkg/web/cookie_test.go
@@ -8,34 +8,26 @@ import (
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
- "github.com/xlgmokha/x/pkg/env"
)
func TestNewCookie(t *testing.T) {
- env.With(env.Vars{"HOST": "sparkle.example.com"}, func() {
- cookie := NewCookie("name", "value")
- assert.Equal(t, "sparkle.example.com", cookie.Domain)
- assert.True(t, cookie.HttpOnly)
- assert.True(t, cookie.Secure)
- assert.Equal(t, http.SameSiteDefaultMode, cookie.SameSite)
- })
+ cookie := NewCookie("name", "value")
+ assert.True(t, cookie.HttpOnly)
+ assert.True(t, cookie.Secure)
}
func TestExpireCookie(t *testing.T) {
- env.With(env.Vars{"HOST": "sparkle.example.com"}, func() {
- w := httptest.NewRecorder()
+ w := httptest.NewRecorder()
- ExpireCookie(w, "example")
+ ExpireCookie(w, "example")
- result, err := http.ParseSetCookie(w.Header().Get("Set-Cookie"))
- require.NoError(t, err)
+ result, err := http.ParseSetCookie(w.Header().Get("Set-Cookie"))
+ require.NoError(t, err)
- assert.Empty(t, result.Value)
- assert.Equal(t, "sparkle.example.com", result.Domain)
- assert.Equal(t, -1, result.MaxAge)
- assert.Equal(t, time.Unix(0, 0).Unix(), result.Expires.Unix())
- assert.True(t, result.HttpOnly)
- assert.True(t, result.Secure)
- assert.Zero(t, result.SameSite)
- })
+ assert.Empty(t, result.Value)
+ assert.Equal(t, -1, result.MaxAge)
+ assert.Equal(t, time.Unix(0, 0).Unix(), result.Expires.Unix())
+ assert.True(t, result.HttpOnly)
+ assert.True(t, result.Secure)
+ assert.Zero(t, result.SameSite)
}
generated by cgit v1.2.3 (git 2.39.1) at 2026-02-02 16:28:00 +0000