From 65389b93922e193be8769609e29fff6243147a9c Mon Sep 17 00:00:00 2001
From: mo khan <mo@mokhan.ca>
Date: Tue, 29 Apr 2025 09:02:47 -0600
Subject: Use secure and http flag on cookies everywhere

> A cookie with the Secure attribute is only sent to the server with
> an encrypted request over the HTTPS protocol. It's never sent with
> unsecured HTTP (except on localhost), which means man-in-the-middle
> attackers can't access it easily. Insecure sites (with http: in the
> URL) can't set cookies with the Secure attribute. However, don't
> assume that Secure prevents all access to sensitive information in
> cookies. For example, someone with access to the client's hard disk
> (or JavaScript if the HttpOnly attribute isn't set) can read and
> modify the information.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#block_access_to_your_cookies
---
 app/controllers/sessions/controller_test.go | 11 ++---------
 1 file changed, 2 insertions(+), 9 deletions(-)

(limited to 'app/controllers')

diff --git a/app/controllers/sessions/controller_test.go b/app/controllers/sessions/controller_test.go
index c0c1de2..9ece4f9 100644
--- a/app/controllers/sessions/controller_test.go
+++ b/app/controllers/sessions/controller_test.go
@@ -11,7 +11,6 @@ import (
 	"github.com/oauth2-proxy/mockoidc"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"github.com/xlgmokha/x/pkg/x"
 	xcfg "gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/cfg"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/domain"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/oidc"
@@ -62,11 +61,8 @@ func TestSessions(t *testing.T) {
 				cookieHeader := w.Header().Get("Set-Cookie")
 				require.NotEmpty(t, cookieHeader)
 
-				cookies, err := http.ParseCookie(cookieHeader)
+				cookie, err := http.ParseSetCookie(w.Header().Get("Set-Cookie"))
 				require.NoError(t, err)
-				cookie := x.Find(cookies, func(item *http.Cookie) bool {
-					return item.Name == "oauth_state"
-				})
 				require.NotZero(t, cookie)
 			})
 		})
@@ -126,11 +122,8 @@ func TestSessions(t *testing.T) {
 
 			mux.ServeHTTP(w, r)
 
-			cookies, err := http.ParseCookie(w.Header().Get("Set-Cookie"))
+			cookie, err := http.ParseSetCookie(w.Header().Get("Set-Cookie"))
 			require.NoError(t, err)
-			cookie := x.Find(cookies, func(item *http.Cookie) bool {
-				return item.Name == "session"
-			})
 			require.NotZero(t, cookie)
 			data, err := base64.URLEncoding.DecodeString(cookie.Value)
 			require.NoError(t, err)
-- 
cgit v1.2.3