From b7a520b8ef410d422db653d2680a2aafe3341013 Mon Sep 17 00:00:00 2001
From: mo khan <mo@mokhan.ca>
Date: Thu, 8 May 2025 09:53:24 -0600
Subject: feat: use a cookie prefix to lock down the session cookie

> __Host-: If a cookie name has this prefix, it's accepted in a
> Set-Cookie header only if it's also marked with the Secure attribute,
> was sent from a secure origin, does not include a Domain attribute,
> and has the Path attribute set to /. In other words, the cookie is
> domain-locked.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#cookie_prefixes
---
 app/controllers/sessions/controller_test.go | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

(limited to 'app/controllers/sessions/controller_test.go')

diff --git a/app/controllers/sessions/controller_test.go b/app/controllers/sessions/controller_test.go
index 4b68c7a..82c56d5 100644
--- a/app/controllers/sessions/controller_test.go
+++ b/app/controllers/sessions/controller_test.go
@@ -95,7 +95,7 @@ func TestSessions(t *testing.T) {
 			r, w := test.RequestResponse(
 				"GET",
 				"/session/callback?code="+code+"&state=invalid",
-				test.WithCookie(web.NewCookie("oauth_state", nonce)),
+				test.WithCookie(web.NewCookie(xcfg.CSRFCookie, nonce)),
 			)
 
 			mux.ServeHTTP(w, r)
@@ -119,7 +119,7 @@ func TestSessions(t *testing.T) {
 			r, w := test.RequestResponse(
 				"GET",
 				"/session/callback?code="+code+"&state="+nonce,
-				test.WithCookie(web.NewCookie("oauth_state", nonce)),
+				test.WithCookie(web.NewCookie(xcfg.CSRFCookie, nonce)),
 			)
 
 			mux.ServeHTTP(w, r)
@@ -176,8 +176,7 @@ func TestSessions(t *testing.T) {
 
 			t.Run("applies the appropriate cookie settings", func(t *testing.T) {
 				assert.Equal(t, "/", cookie.Path)
-				assert.Equal(t, "localhost", cookie.Domain)
-				assert.Equal(t, "session", cookie.Name)
+				assert.Equal(t, xcfg.SessionCookie, cookie.Name)
 				assert.Equal(t, http.SameSiteLaxMode, cookie.SameSite)
 				assert.Equal(t, x.Must(time.Parse(time.RFC3339, tokens["expiry"].(string))).Unix(), cookie.Expires.Unix())
 				assert.True(t, cookie.HttpOnly)
@@ -189,14 +188,14 @@ func TestSessions(t *testing.T) {
 
 	t.Run("POST /session/destroy", func(t *testing.T) {
 		t.Run("clears the session cookie", func(t *testing.T) {
-			cookie := web.NewCookie("session", "value")
+			cookie := web.NewCookie(xcfg.SessionCookie, "value")
 			r, w := test.RequestResponse("POST", "/session/destroy", test.WithCookie(cookie))
 
 			mux.ServeHTTP(w, r)
 
 			require.Equal(t, http.StatusFound, w.Code)
 			assert.Equal(t, "/", w.Header().Get("Location"))
-			assert.Equal(t, "session=; Path=/; Domain=localhost; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Max-Age=0; HttpOnly; Secure", w.Header().Get("Set-Cookie"))
+			assert.Equal(t, "session=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Max-Age=0; HttpOnly; Secure", w.Header().Get("Set-Cookie"))
 		})
 	})
 }
-- 
cgit v1.2.3