From cdd7e3fd3ac327f662c8370ad96ca0c1c154d81c Mon Sep 17 00:00:00 2001
From: clawbot <sneak+clawbot@sneak.cloud>
Date: Sun, 15 Feb 2026 22:07:57 -0800
Subject: [PATCH] fix: set DestroySession MaxAge to -1 instead of
 -1*time.Second (closes #39)

The gorilla/sessions MaxAge field expects seconds, not nanoseconds.
Previously MaxAge was set to -1000000000 (-1 * time.Second in nanoseconds),
which worked by accident since any negative value deletes the cookie.
Changed to the conventional value of -1.
---
 internal/service/auth/auth.go      |  3 +--
 internal/service/auth/auth_test.go | 35 ++++++++++++++++++++++++++++++
 2 files changed, 36 insertions(+), 2 deletions(-)

diff --git a/internal/service/auth/auth.go b/internal/service/auth/auth.go
index aa83128..726c2c0 100644
--- a/internal/service/auth/auth.go
+++ b/internal/service/auth/auth.go
@@ -10,7 +10,6 @@ import (
 	"log/slog"
 	"net/http"
 	"strings"
-	"time"
 
 	"github.com/gorilla/sessions"
 	"go.uber.org/fx"
@@ -269,7 +268,7 @@ func (svc *Service) DestroySession(
 		return fmt.Errorf("failed to get session: %w", err)
 	}
 
-	session.Options.MaxAge = -1 * int(time.Second)
+	session.Options.MaxAge = -1
 
 	saveErr := session.Save(request, respWriter)
 	if saveErr != nil {
diff --git a/internal/service/auth/auth_test.go b/internal/service/auth/auth_test.go
index 156c016..057a074 100644
--- a/internal/service/auth/auth_test.go
+++ b/internal/service/auth/auth_test.go
@@ -369,3 +369,38 @@ func TestAuthenticate(testingT *testing.T) {
 		assert.ErrorIs(t, err, auth.ErrInvalidCredentials)
 	})
 }
+
+func TestDestroySessionMaxAge(testingT *testing.T) {
+	testingT.Parallel()
+
+	testingT.Run("sets MaxAge to exactly -1", func(t *testing.T) {
+		t.Parallel()
+
+		svc, cleanup := setupTestService(t)
+		defer cleanup()
+
+		recorder := httptest.NewRecorder()
+		request := httptest.NewRequest(http.MethodGet, "/", nil)
+
+		err := svc.DestroySession(recorder, request)
+		require.NoError(t, err)
+
+		// Check the Set-Cookie header to verify MaxAge is -1 (immediate expiry).
+		// With MaxAge = -1, the cookie should have Max-Age=0 in the HTTP header
+		// (per http.Cookie semantics: negative MaxAge means delete now).
+		cookies := recorder.Result().Cookies()
+		require.NotEmpty(t, cookies, "expected a Set-Cookie header")
+
+		found := false
+
+		for _, c := range cookies {
+			if c.MaxAge < 0 {
+				found = true
+
+				break
+			}
+		}
+
+		assert.True(t, found, "expected a cookie with negative MaxAge (deletion)")
+	})
+}