From b7a520b8ef410d422db653d2680a2aafe3341013 Mon Sep 17 00:00:00 2001
From: mo khan <mo@mokhan.ca>
Date: Thu, 8 May 2025 09:53:24 -0600
Subject: feat: use a cookie prefix to lock down the session cookie

> __Host-: If a cookie name has this prefix, it's accepted in a
> Set-Cookie header only if it's also marked with the Secure attribute,
> was sent from a secure origin, does not include a Domain attribute,
> and has the Path attribute set to /. In other words, the cookie is
> domain-locked.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#cookie_prefixes
---
 pkg/web/cookie.go      |  3 ---
 pkg/web/cookie_test.go | 34 +++++++++++++---------------------
 2 files changed, 13 insertions(+), 24 deletions(-)

(limited to 'pkg')

diff --git a/pkg/web/cookie.go b/pkg/web/cookie.go
index c60121f..fd81c1d 100644
--- a/pkg/web/cookie.go
+++ b/pkg/web/cookie.go
@@ -26,8 +26,6 @@ func NewCookie(name, value string, options ...x.Option[*http.Cookie]) *http.Cook
 		cookie.WithPath("/"),
 		cookie.WithHttpOnly(true),
 		cookie.WithSecure(true),
-		cookie.WithSameSite(http.SameSiteDefaultMode),
-		cookie.WithDomain(env.Fetch("HOST", "localhost")),
 	)...)
 }
 
@@ -51,7 +49,6 @@ func withSignedValue(value string) x.Option[*http.Cookie] {
 func ExpireCookie(w http.ResponseWriter, name string) {
 	cookie.Expire(w, name,
 		cookie.WithPath("/"),
-		cookie.WithDomain(env.Fetch("HOST", "localhost")),
 		cookie.WithHttpOnly(true),
 		cookie.WithSecure(true),
 	)
diff --git a/pkg/web/cookie_test.go b/pkg/web/cookie_test.go
index 60cf7cf..1a3bfb0 100644
--- a/pkg/web/cookie_test.go
+++ b/pkg/web/cookie_test.go
@@ -8,34 +8,26 @@ import (
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"github.com/xlgmokha/x/pkg/env"
 )
 
 func TestNewCookie(t *testing.T) {
-	env.With(env.Vars{"HOST": "sparkle.example.com"}, func() {
-		cookie := NewCookie("name", "value")
-		assert.Equal(t, "sparkle.example.com", cookie.Domain)
-		assert.True(t, cookie.HttpOnly)
-		assert.True(t, cookie.Secure)
-		assert.Equal(t, http.SameSiteDefaultMode, cookie.SameSite)
-	})
+	cookie := NewCookie("name", "value")
+	assert.True(t, cookie.HttpOnly)
+	assert.True(t, cookie.Secure)
 }
 
 func TestExpireCookie(t *testing.T) {
-	env.With(env.Vars{"HOST": "sparkle.example.com"}, func() {
-		w := httptest.NewRecorder()
+	w := httptest.NewRecorder()
 
-		ExpireCookie(w, "example")
+	ExpireCookie(w, "example")
 
-		result, err := http.ParseSetCookie(w.Header().Get("Set-Cookie"))
-		require.NoError(t, err)
+	result, err := http.ParseSetCookie(w.Header().Get("Set-Cookie"))
+	require.NoError(t, err)
 
-		assert.Empty(t, result.Value)
-		assert.Equal(t, "sparkle.example.com", result.Domain)
-		assert.Equal(t, -1, result.MaxAge)
-		assert.Equal(t, time.Unix(0, 0).Unix(), result.Expires.Unix())
-		assert.True(t, result.HttpOnly)
-		assert.True(t, result.Secure)
-		assert.Zero(t, result.SameSite)
-	})
+	assert.Empty(t, result.Value)
+	assert.Equal(t, -1, result.MaxAge)
+	assert.Equal(t, time.Unix(0, 0).Unix(), result.Expires.Unix())
+	assert.True(t, result.HttpOnly)
+	assert.True(t, result.Secure)
+	assert.Zero(t, result.SameSite)
 }
-- 
cgit v1.2.3