fix: less restrictive view cookie path

2025-04-21 12:15:23 +03:00 · 2025-04-21 12:15:23 +03:00 · d7900e8078
commit d7900e8078
parent 7a0c0a9007
2 changed files with 17 additions and 18 deletions
--- a/server/internal/service/auth.go
+++ b/server/internal/service/auth.go
@ -29,6 +29,7 @@ const (
 	authCookieName = "notatest.refresh_token"
 	viewCookieName = "notatest.expires_at"
 	authCookiePath = "/api/auth/cookie"
+	viewCookiePath = "/"
 )

 var (
@ -594,25 +595,29 @@ func (rs authResource) userFromCtxClaims(w http.ResponseWriter, r *http.Request)
 }

 func (rs authResource) setAuthCookies(w http.ResponseWriter, tokenPair *tokenPair, clearCookies bool) {
-	expirationTime := time.Now().Add(refreshTokenDuration)
-	expirationUnix := strconv.FormatInt(expirationTime.Unix(), 10)
-
 	log.Debug().Msgf("Setting authentication cookies (clearCookies: %t)", clearCookies)

 	var maxAge int
-	var value string
+	var expirationTime time.Time
+	var rtValue string
+
 	if clearCookies {
+		expirationTime = time.Now()
 		maxAge = 0 // Expires immediately
-		value = ""
+		rtValue = ""
 	} else {
+		expirationTime = time.Now().Add(refreshTokenDuration)
 		maxAge = int(refreshTokenDuration.Seconds())
-		value = tokenPair.RefreshToken
+		rtValue = tokenPair.RefreshToken
 	}

+	expirationValue := strconv.FormatInt(expirationTime.Unix(), 10)
+	log.Debug().Msgf("AC: {path='%s', maxAge='%d'}, VC: {path='%s', maxAge='%d'}", authCookiePath, maxAge, viewCookiePath, maxAge)
+
 	// The actual auth cookie is httpOnly, i.e. not viewable by the client
 	http.SetCookie(w, &http.Cookie{
 		Name:     authCookieName,
-		Value:    value,
+		Value:    rtValue,
 		Domain:   rs.Config.Domain,
 		Path:     authCookiePath,
 		MaxAge:   maxAge,
@ -622,12 +627,13 @@ func (rs authResource) setAuthCookies(w http.ResponseWriter, tokenPair *tokenPai
 	})

 	// The information cookie can be used by the client to check how long it'll take until the
-	// actual auth cookie expires (notably `HttpOnly: false` is a must)
+	// actual auth cookie expires (notably `HttpOnly: false` and `Path: "/"` must be set for
+	// the cookie to be readable from our client-side implementation)
 	http.SetCookie(w, &http.Cookie{
 		Name:     viewCookieName,
-		Value:    expirationUnix,
+		Value:    expirationValue,
 		Domain:   rs.Config.Domain,
-		Path:     authCookiePath,
+		Path:     viewCookiePath,
 		MaxAge:   maxAge,
 		HttpOnly: false,
 		Secure:   rs.Config.IsProd,
--- a/server/internal/service/service.go
+++ b/server/internal/service/service.go
@ -20,15 +20,8 @@ type SvcConfig struct {
 }

 func (sc *SvcConfig) allowedOrigins() []string {
-	var allowed []string
-	if sc.IsProd {
-		allowed = []string{sc.FrontendURL}
-	} else {
-		allowed = []string{"http://localhost:5173"}
-	}
-
+	allowed := []string{sc.FrontendURL}
 	log.Debug().Msgf("CORS allowedOrigins: %v", allowed)
-
 	return allowed
 }