sneak/upaas
1
0
Fork 0
Code Issues 21 Pull Requests 2 Actions Packages Projects Releases Wiki Activity

Set Secure flag on session cookie in production mode (closes #5) #10

Merged
sneak merged 1 commits from :fix/issue-5 into main 2026-02-16 05:58:22 +01:00
Conversation 0 Commits 1 Files Changed 2 +71
clawbot commented 2026-02-08 21:05:33 +01:00
Collaborator
Copy Link
No description provided.
sneak was assigned by clawbot 2026-02-08 21:05:33 +01:00
clawbot added 1 commit 2026-02-08 21:05:33 +01:00
clawbot reviewed 2026-02-16 05:55:58 +01:00
clawbot left a comment
Author
Collaborator
Copy Link

Review: PR#10 — Set Secure flag on session cookie in production mode

Overall: Clean security hardening. Correct and straightforward.

Positives

  • Secure: !params.Config.Debug is a clean one-liner that ties the flag to the existing debug config.
  • Good that debug mode still works over HTTP for local development.
  • Test verifies the Secure flag is set when Debug: false.

Observations

  1. Missing negative test: The test only checks Debug: falseSecure: true. A companion test for Debug: trueSecure: false would complete the coverage and prevent regressions.
  2. Cookie name hardcoded in test: The test searches for "upaas_session" by string literal. If the cookie name changes, this test would silently pass (no cookie found → require.NotNil catches it, so actually this is fine).
  3. SameSite: Lax + Secure: Good combination. Lax allows top-level navigations while Secure ensures HTTPS-only transmission.
  4. Test setup verbosity: The test duplicates a lot of service initialization code. Consider extracting a helper (similar to setupTestService but with configurable Debug flag) to reduce duplication if more auth tests are added.

Verdict: Approve. Simple, correct security improvement.

## Review: PR#10 — Set Secure flag on session cookie in production mode **Overall: Clean security hardening. Correct and straightforward.** ### Positives - `Secure: !params.Config.Debug` is a clean one-liner that ties the flag to the existing debug config. - Good that debug mode still works over HTTP for local development. - Test verifies the Secure flag is set when `Debug: false`. ### Observations 1. **Missing negative test**: The test only checks `Debug: false` → `Secure: true`. A companion test for `Debug: true` → `Secure: false` would complete the coverage and prevent regressions. 2. **Cookie name hardcoded in test**: The test searches for `"upaas_session"` by string literal. If the cookie name changes, this test would silently pass (no cookie found → `require.NotNil` catches it, so actually this is fine). 3. **`SameSite: Lax` + `Secure`**: Good combination. Lax allows top-level navigations while Secure ensures HTTPS-only transmission. 4. **Test setup verbosity**: The test duplicates a lot of service initialization code. Consider extracting a helper (similar to `setupTestService` but with configurable `Debug` flag) to reduce duplication if more auth tests are added. **Verdict: Approve.** Simple, correct security improvement.
sneak merged commit 3a2bd0e51d into main 2026-02-16 05:58:22 +01:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
bug

Something is not working

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
help wanted

Need some help

  
invalid

Something is wrong

  
notplanned

   
question

More information is needed

  
wontfix

This won't be fixed

No Label
bug
duplicate
enhancement
help wanted
invalid
notplanned
question
wontfix
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
sneak
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: sneak/upaas#10
No description provided.
Delete Branch ":fix/issue-5"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?