fix: same site cookies for sso/ normal login (#299)

gusfcarvalho · web-flow · commit a99c661b9658 · 2025-12-30T18:06:48.000-03:00
* fix: same site cookies for sso/ normal login

Signed-off-by: Gustavo Carvalho &lt;gustavo.carvalho@container-solutions.com&gt;

* fix: enforce strict for callback cookie

Signed-off-by: Gustavo Carvalho &lt;gustavo.carvalho@container-solutions.com&gt;

* fix: fix tests

Signed-off-by: Gustavo Carvalho &lt;gustavo.carvalho@container-solutions.com&gt;

---------

Signed-off-by: Gustavo Carvalho &lt;gustavo.carvalho@container-solutions.com&gt;
diff --git a/internal/api/handler/auth/auth.go b/internal/api/handler/auth/auth.go
@@ -112,13 +112,12 @@ func (h *AuthHandler) LoginUser(ctx echo.Context) error {
 	cookie.Expires = time.Now().Add(time.Hour * 24)
 	cookie.HttpOnly = true
 	cookie.Path = "/"
+	cookie.SameSite = http.SameSiteStrictMode
 
 	if isDevelopmentEnvironment(h.config.Environment) {
 		cookie.Secure = false
-		cookie.SameSite = http.SameSiteLaxMode
 	} else {
 		cookie.Secure = true
-		cookie.SameSite = http.SameSiteStrictMode
 	}
 
 	ctx.SetCookie(cookie)
diff --git a/internal/api/handler/auth/sso.go b/internal/api/handler/auth/sso.go
@@ -123,13 +123,13 @@ func (h *SSOHandler) InitiateLogin(ctx echo.Context) error {
 	cookie.Expires = time.Now().Add(5 * time.Minute)
 	cookie.HttpOnly = true
 	cookie.Path = "/"
+	// Note: cannot set this to Strict as it breaks OIDC/oAuth2 flow
+	cookie.SameSite = http.SameSiteLaxMode
 
 	if isDevelopmentEnvironment(h.config.Environment) {
 		cookie.Secure = false
-		cookie.SameSite = http.SameSiteLaxMode
 	} else {
 		cookie.Secure = true
-		cookie.SameSite = http.SameSiteStrictMode
 	}
 
 	ctx.SetCookie(cookie)
@@ -217,13 +217,12 @@ func (h *SSOHandler) Callback(ctx echo.Context) error {
 	authCookie.Expires = time.Now().Add(time.Hour * 24)
 	authCookie.HttpOnly = true
 	authCookie.Path = "/"
+	authCookie.SameSite = http.SameSiteStrictMode
 
 	if isDevelopmentEnvironment(h.config.Environment) {
 		authCookie.Secure = false
-		authCookie.SameSite = http.SameSiteLaxMode
 	} else {
 		authCookie.Secure = true
-		authCookie.SameSite = http.SameSiteStrictMode
 	}
 
 	ctx.SetCookie(authCookie)
diff --git a/internal/api/handler/auth/sso_test.go b/internal/api/handler/auth/sso_test.go
@@ -150,7 +150,7 @@ func TestSSOHandlerInitiateLogin_SetsStateCookie(t *testing.T) {
 	require.NotNil(t, stateCookie)
 	require.Equal(t, "state123", stateCookie.Value)
 	require.True(t, stateCookie.Secure)
-	require.Equal(t, http.SameSiteStrictMode, stateCookie.SameSite)
+	require.Equal(t, http.SameSiteLaxMode, stateCookie.SameSite)
 }
 
 func TestSSOHandlerCallback_NewUserCreated(t *testing.T) {

Original file line number	Diff line number	Diff line change
`@@ -150,7 +150,7 @@ func TestSSOHandlerInitiateLogin_SetsStateCookie(t *testing.T) {`
`150`	`150`	`require.NotNil(t, stateCookie)`
`151`	`151`	`require.Equal(t, "state123", stateCookie.Value)`
`152`	`152`	`require.True(t, stateCookie.Secure)`
`153`		`- require.Equal(t, http.SameSiteStrictMode, stateCookie.SameSite)`
	`153`	`+ require.Equal(t, http.SameSiteLaxMode, stateCookie.SameSite)`
`154`	`154`	`}`
`155`	`155`
`156`	`156`	`func TestSSOHandlerCallback_NewUserCreated(t *testing.T) {`