diff options
| author | mo khan <mo@mokhan.ca> | 2025-05-08 09:53:24 -0600 |
|---|---|---|
| committer | mo khan <mo@mokhan.ca> | 2025-05-08 09:53:24 -0600 |
| commit | b7a520b8ef410d422db653d2680a2aafe3341013 (patch) | |
| tree | 30a2a8f278684f006bbb846cbdd560c9080bcfaf /pkg | |
| parent | e9b9d1058504f8331bf03e6168074ef7cedab519 (diff) | |
feat: use a cookie prefix to lock down the session cookie
> __Host-: If a cookie name has this prefix, it's accepted in a
> Set-Cookie header only if it's also marked with the Secure attribute,
> was sent from a secure origin, does not include a Domain attribute,
> and has the Path attribute set to /. In other words, the cookie is
> domain-locked.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#cookie_prefixes
Diffstat (limited to 'pkg')
| -rw-r--r-- | pkg/web/cookie.go | 3 | ||||
| -rw-r--r-- | pkg/web/cookie_test.go | 34 |
2 files changed, 13 insertions, 24 deletions
diff --git a/pkg/web/cookie.go b/pkg/web/cookie.go index c60121f..fd81c1d 100644 --- a/pkg/web/cookie.go +++ b/pkg/web/cookie.go @@ -26,8 +26,6 @@ func NewCookie(name, value string, options ...x.Option[*http.Cookie]) *http.Cook cookie.WithPath("/"), cookie.WithHttpOnly(true), cookie.WithSecure(true), - cookie.WithSameSite(http.SameSiteDefaultMode), - cookie.WithDomain(env.Fetch("HOST", "localhost")), )...) } @@ -51,7 +49,6 @@ func withSignedValue(value string) x.Option[*http.Cookie] { func ExpireCookie(w http.ResponseWriter, name string) { cookie.Expire(w, name, cookie.WithPath("/"), - cookie.WithDomain(env.Fetch("HOST", "localhost")), cookie.WithHttpOnly(true), cookie.WithSecure(true), ) diff --git a/pkg/web/cookie_test.go b/pkg/web/cookie_test.go index 60cf7cf..1a3bfb0 100644 --- a/pkg/web/cookie_test.go +++ b/pkg/web/cookie_test.go @@ -8,34 +8,26 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/xlgmokha/x/pkg/env" ) func TestNewCookie(t *testing.T) { - env.With(env.Vars{"HOST": "sparkle.example.com"}, func() { - cookie := NewCookie("name", "value") - assert.Equal(t, "sparkle.example.com", cookie.Domain) - assert.True(t, cookie.HttpOnly) - assert.True(t, cookie.Secure) - assert.Equal(t, http.SameSiteDefaultMode, cookie.SameSite) - }) + cookie := NewCookie("name", "value") + assert.True(t, cookie.HttpOnly) + assert.True(t, cookie.Secure) } func TestExpireCookie(t *testing.T) { - env.With(env.Vars{"HOST": "sparkle.example.com"}, func() { - w := httptest.NewRecorder() + w := httptest.NewRecorder() - ExpireCookie(w, "example") + ExpireCookie(w, "example") - result, err := http.ParseSetCookie(w.Header().Get("Set-Cookie")) - require.NoError(t, err) + result, err := http.ParseSetCookie(w.Header().Get("Set-Cookie")) + require.NoError(t, err) - assert.Empty(t, result.Value) - assert.Equal(t, "sparkle.example.com", result.Domain) - assert.Equal(t, -1, result.MaxAge) - assert.Equal(t, time.Unix(0, 0).Unix(), result.Expires.Unix()) - assert.True(t, result.HttpOnly) - assert.True(t, result.Secure) - assert.Zero(t, result.SameSite) - }) + assert.Empty(t, result.Value) + assert.Equal(t, -1, result.MaxAge) + assert.Equal(t, time.Unix(0, 0).Unix(), result.Expires.Unix()) + assert.True(t, result.HttpOnly) + assert.True(t, result.Secure) + assert.Zero(t, result.SameSite) } |