setAuthCookiesWithRemember sets cookies; rememberMe uses 30-day refresh token. useLax forces SameSite=Lax (required for OIDC redirects from IdP). browserSessionCookies: when true, both cookies use MaxAge 0 (session cookies) so they are not persisted to disk and are dropped when the browser session e
(w http.ResponseWriter, r *http.Request, accessToken, refreshToken string, tokenMaxAge int64, rememberMe bool, env string, useLax bool, browserSessionCookies bool)
| 404 | // browserSessionCookies: when true, both cookies use MaxAge 0 (session cookies) so they are not |
| 405 | // persisted to disk and are dropped when the browser session ends (close all windows / quit). |
| 406 | func setAuthCookiesWithRemember(w http.ResponseWriter, r *http.Request, accessToken, refreshToken string, tokenMaxAge int64, rememberMe bool, env string, useLax bool, browserSessionCookies bool) { |
| 407 | secure := r.TLS != nil || r.Header.Get("X-Forwarded-Proto") == "https" |
| 408 | sameSite := http.SameSiteLaxMode |
| 409 | if !useLax && env == "production" && secure { |
| 410 | sameSite = http.SameSiteStrictMode |
| 411 | } |
| 412 | tokenCookieMaxAge := int(tokenMaxAge) |
| 413 | if browserSessionCookies { |
| 414 | tokenCookieMaxAge = 0 |
| 415 | } |
| 416 | http.SetCookie(w, &http.Cookie{ |
| 417 | Name: "token", |
| 418 | Value: accessToken, |
| 419 | Path: "/", |
| 420 | MaxAge: tokenCookieMaxAge, |
| 421 | HttpOnly: true, |
| 422 | Secure: secure && env == "production", |
| 423 | SameSite: sameSite, |
| 424 | }) |
| 425 | refreshMaxAge := 7 * 24 * 3600 // 7 days |
| 426 | if rememberMe { |
| 427 | refreshMaxAge = 30 * 24 * 3600 // 30 days |
| 428 | } |
| 429 | if browserSessionCookies { |
| 430 | refreshMaxAge = 0 |
| 431 | } |
| 432 | http.SetCookie(w, &http.Cookie{ |
| 433 | Name: "refresh_token", |
| 434 | Value: refreshToken, |
| 435 | Path: "/", |
| 436 | MaxAge: refreshMaxAge, |
| 437 | HttpOnly: true, |
| 438 | Secure: secure && env == "production", |
| 439 | SameSite: sameSite, |
| 440 | }) |
| 441 | } |
| 442 | |
| 443 | // completeLogin creates tokens, optionally creates session for remember-me, sets cookies, returns JSON. |
| 444 | func (h *AuthHandler) completeLogin(w http.ResponseWriter, r *http.Request, user *models.User, rememberMe bool) { |
no test coverage detected