From dd33572c6bc554019c052e7281d4d5269b7b4986 Mon Sep 17 00:00:00 2001
From: mo khan <mo@mokhan.ca>
Date: Wed, 7 May 2025 18:50:05 -0700
Subject: fix: do not clear set-cookie header

---
 app/controllers/sessions/controller.go      | 14 ++------------
 app/controllers/sessions/controller_test.go | 22 +++++++++++++---------
 2 files changed, 15 insertions(+), 21 deletions(-)

(limited to 'app')

diff --git a/app/controllers/sessions/controller.go b/app/controllers/sessions/controller.go
index 7c65d56..6948473 100644
--- a/app/controllers/sessions/controller.go
+++ b/app/controllers/sessions/controller.go
@@ -5,7 +5,6 @@ import (
 	"time"
 
 	"github.com/xlgmokha/x/pkg/cookie"
-	"github.com/xlgmokha/x/pkg/log"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/middleware"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/oidc"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/pls"
@@ -140,19 +139,10 @@ func (c *Controller) Create(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	ck := web.NewCookie(
-		"session",
-		encoded,
+	cookie.Write(w, web.NewCookie("session", encoded,
 		cookie.WithSameSite(http.SameSiteLaxMode),
 		cookie.WithExpiration(tokens.Expiry),
-	)
-	log.WithFields(r.Context(), log.Fields{
-		"cookie": ck,
-		"expiry": tokens.Expiry,
-		"now":    time.Now(),
-	})
-	cookie.Write(w, ck)
-	web.ExpireCookie(w, "oauth_state")
+	))
 	http.Redirect(w, r, "/dashboard", http.StatusFound)
 }
 
diff --git a/app/controllers/sessions/controller_test.go b/app/controllers/sessions/controller_test.go
index 43cd0b9..4b68c7a 100644
--- a/app/controllers/sessions/controller_test.go
+++ b/app/controllers/sessions/controller_test.go
@@ -124,7 +124,8 @@ func TestSessions(t *testing.T) {
 
 			mux.ServeHTTP(w, r)
 
-			cookie, err := http.ParseSetCookie(w.Header().Get("Set-Cookie"))
+			setCookieValue := w.Header().Get("Set-Cookie")
+			cookie, err := http.ParseSetCookie(setCookieValue)
 			require.NoError(t, err)
 			require.NotZero(t, cookie)
 			data, err := base64.URLEncoding.DecodeString(web.CookieValueFrom(cookie))
@@ -152,14 +153,6 @@ func TestSessions(t *testing.T) {
 				sub, err := token.Claims.GetSubject()
 				require.NoError(t, err)
 				assert.Equal(t, user.Subject, sub)
-
-				assert.Equal(t, "/", cookie.Path)
-				assert.Equal(t, "localhost", cookie.Domain)
-				assert.Equal(t, "session", cookie.Name)
-				assert.Equal(t, http.SameSiteLaxMode, cookie.SameSite)
-				assert.Equal(t, x.Must(time.Parse(time.RFC3339, tokens["expiry"].(string))).Unix(), cookie.Expires.Unix())
-				assert.True(t, cookie.HttpOnly)
-				assert.True(t, cookie.Secure)
 			})
 
 			t.Run("stores the refresh token in a session cookie", func(t *testing.T) {
@@ -180,6 +173,17 @@ func TestSessions(t *testing.T) {
 				require.Equal(t, http.StatusFound, w.Code)
 				assert.Equal(t, "/dashboard", w.Header().Get("Location"))
 			})
+
+			t.Run("applies the appropriate cookie settings", func(t *testing.T) {
+				assert.Equal(t, "/", cookie.Path)
+				assert.Equal(t, "localhost", cookie.Domain)
+				assert.Equal(t, "session", cookie.Name)
+				assert.Equal(t, http.SameSiteLaxMode, cookie.SameSite)
+				assert.Equal(t, x.Must(time.Parse(time.RFC3339, tokens["expiry"].(string))).Unix(), cookie.Expires.Unix())
+				assert.True(t, cookie.HttpOnly)
+				assert.True(t, cookie.Secure)
+				assert.NotEmpty(t, cookie.Value)
+			})
 		})
 	})
 
-- 
cgit v1.2.3