sneak/upaas
1
0
Fork 0
Code Issues 21 Pull Requests 2 Actions Packages Projects Releases Wiki Activity

Set Secure flag on session cookie in production mode (closes #5) #10

Merged
sneak merged 1 commits from :fix/issue-5 into main 2026-02-16 05:58:22 +01:00
Conversation 0 Commits 1 Files Changed 2 +71
2 changed files with 71 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
internal/service/auth/auth.go
View File

@ -73,6 +73,7 @@ func New(_ fx.Lifecycle, params ServiceParams) (*Service, error) {
Path: "/", Path: "/",
MaxAge: sessionMaxAgeSeconds, MaxAge: sessionMaxAgeSeconds,
HttpOnly: true, HttpOnly: true,
Secure: !params.Config.Debug,
SameSite: http.SameSiteLaxMode, SameSite: http.SameSiteLaxMode,
} }

70
internal/service/auth/auth_test.go
View File

@ -2,6 +2,8 @@ package auth_test
import ( import (
"context" "context"
"net/http"
"net/http/httptest"
"path/filepath" "path/filepath"
"testing" "testing"
@ -68,6 +70,74 @@ func setupTestService(t *testing.T) (*auth.Service, func()) {
return svc, cleanup return svc, cleanup
} }
func TestSessionCookieSecureFlag(testingT *testing.T) {
testingT.Parallel()
testingT.Run("secure flag is true when debug is false", func(t *testing.T) {
t.Parallel()
tmpDir := t.TempDir()
globals.SetAppname("upaas-test")
globals.SetVersion("test")
globalsInst, err := globals.New(fx.Lifecycle(nil))
require.NoError(t, err)
loggerInst, err := logger.New(
fx.Lifecycle(nil),
logger.Params{Globals: globalsInst},
)
require.NoError(t, err)
cfg := &config.Config{
Port: 8080,
DataDir: tmpDir,
SessionSecret: "test-secret-key-at-least-32-chars",
Debug: false,
}
dbInst, err := database.New(fx.Lifecycle(nil), database.Params{
Logger: loggerInst,
Config: cfg,
})
require.NoError(t, err)
svc, err := auth.New(fx.Lifecycle(nil), auth.ServiceParams{
Logger: loggerInst,
Config: cfg,
Database: dbInst,
})
require.NoError(t, err)
// Create user and session, check cookie has Secure flag
_, err = svc.CreateUser(context.Background(), "admin", "password123")
require.NoError(t, err)
user, err := svc.Authenticate(context.Background(), "admin", "password123")
require.NoError(t, err)
recorder := httptest.NewRecorder()
request := httptest.NewRequest(http.MethodGet, "/", nil)
err = svc.CreateSession(recorder, request, user)
require.NoError(t, err)
cookies := recorder.Result().Cookies()
require.NotEmpty(t, cookies)
var sessionCookie *http.Cookie
for _, c := range cookies {
if c.Name == "upaas_session" {
sessionCookie = c
break
}
}
require.NotNil(t, sessionCookie, "session cookie should exist")
assert.True(t, sessionCookie.Secure, "session cookie should have Secure flag in production mode")
})
}
func TestHashPassword(testingT *testing.T) { func TestHashPassword(testingT *testing.T) {
testingT.Parallel() testingT.Parallel()