arthur/xtablo-source
1
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions 5
xtablo-source/backend/internal/auth/cookie.go
Arthur Belleville fd2301decf
feat(02-03): session store + cookie helpers (real-DB TDD) 
- Store.Create: 32-byte crypto/rand token, SHA-256 hex as DB id (D-05)
- Store.Lookup: hashes cookie, maps pgx.ErrNoRows to ErrSessionNotFound (D-07)
- Store.Delete: hard-deletes session row (D-06)
- Store.Rotate: deletes old row before creating new one (D-10, T-2-04)
- Store.MaybeExtend: extends only when remaining < 7 days (D-09)
- SetSessionCookie: HttpOnly + Secure (env-gated) + SameSite=Lax (D-12)
- ClearSessionCookie: MaxAge=-1 not 0 (RESEARCH Pattern 3 / D-06)
- 10 tests: 7 real-DB (skip without TEST_DATABASE_URL) + 3 cookie unit tests
2026-05-14 22:08:04 +02:00

50 lines
1.5 KiB
Go
Raw Blame History

package auth
import (
"net/http"
"time"
)
// SetSessionCookie writes an HTTP-only session cookie to the response.
// The Secure attribute is gated by the secure parameter — callers pass
// (ENV != "dev") so plain localhost works in development (D-12).
//
// Cookie attributes per D-12:
// - HttpOnly: true (no JS access)
// - Secure: env-gated
// - SameSite: Lax (blocks cross-site POST; allows top-level GET navigation)
// - Path: /
// - MaxAge: mirrors the session TTL (re-issued on extension so the browser
// cookie lifetime stays in sync with the DB row)
func SetSessionCookie(w http.ResponseWriter, value string, expiresAt time.Time, secure bool) {
maxAge := int(time.Until(expiresAt).Seconds())
if maxAge < 0 {
maxAge = 0
}
http.SetCookie(w, &http.Cookie{
Name: SessionCookieName,
Value: value,
Path: "/",
Expires: expiresAt,
MaxAge: maxAge,
HttpOnly: true,
Secure: secure,
SameSite: http.SameSiteLaxMode,
})
}
// ClearSessionCookie instructs the browser to delete the session cookie.
// MaxAge=-1 in Go's http.Cookie emits "Max-Age=0" in the Set-Cookie header,
// which browsers interpret as "delete immediately" (D-06, RESEARCH Pattern 3).
func ClearSessionCookie(w http.ResponseWriter, secure bool) {
http.SetCookie(w, &http.Cookie{
Name: SessionCookieName,
Value: "",
Path: "/",
Expires: time.Unix(0, 0),
MaxAge: -1,
HttpOnly: true,
Secure: secure,
SameSite: http.SameSiteLaxMode,
})
}
Reference in a new issue View git blame Copy permalink