refactor: share secure request detection helper (#23)

Author: damacus

internal/handlers/auth_handler.go

@@ -79,7 +79,7 @@ func (h *AuthHandler) Login(c echo.Context) error {
 	cookie.Path = "/"
 	cookie.HttpOnly = true
 	cookie.SameSite = http.SameSiteStrictMode
-	cookie.Secure = requestIsSecure(c)
+	cookie.Secure = utils.IsSecureRequest(c.Request())
 	c.SetCookie(cookie)
 
 	// 4. Redirect (HTMX handles 200 OK with HX-Redirect)
@@ -96,20 +96,11 @@ func (h *AuthHandler) Logout(c echo.Context) error {
 	cookie.Path = "/"
 	cookie.HttpOnly = true
 	cookie.SameSite = http.SameSiteStrictMode
-	cookie.Secure = requestIsSecure(c)
+	cookie.Secure = utils.IsSecureRequest(c.Request())
 	c.SetCookie(cookie)
 	return c.Redirect(http.StatusSeeOther, "/login")
 }
 
-func requestIsSecure(c echo.Context) bool {
-	req := c.Request()
-	if req.TLS != nil {
-		return true
-	}
-
-	return req.Header.Get("X-Forwarded-Proto") == "https"
-}
-
 // LoginOIDC initiates the OIDC flow
 func (h *AuthHandler) LoginOIDC(c echo.Context) error {
 	// TODO: Generate state, store in cookie, redirect to OIDC provider

internal/middleware/security_headers.go

@@ -1,8 +1,7 @@
 package middleware
 
 import (
-	"strings"
-
+	"github.com/damacus/iron-buckets/internal/utils"
 	"github.com/labstack/echo/v4"
 )
 
@@ -26,20 +25,11 @@ func SecurityHeaders() echo.MiddlewareFunc {
 			headers.Set("Permissions-Policy", "geolocation=(), microphone=(), camera=()")
 			headers.Set("Content-Security-Policy", contentSecurityPolicy)
 
-			if isSecureRequest(c) {
+			if utils.IsSecureRequest(c.Request()) {
 				headers.Set("Strict-Transport-Security", "max-age=31536000; includeSubDomains")
 			}
 
 			return next(c)
 		}
 	}
 }
-
-func isSecureRequest(c echo.Context) bool {
-	req := c.Request()
-	if req.TLS != nil {
-		return true
-	}
-
-	return strings.EqualFold(req.Header.Get("X-Forwarded-Proto"), "https")
-}

internal/utils/request_security.go

@@ -0,0 +1,18 @@
+package utils
+
+import (
+	"net/http"
+	"strings"
+)
+
+func IsSecureRequest(req *http.Request) bool {
+	if req == nil {
+		return false
+	}
+
+	if req.TLS != nil {
+		return true
+	}
+
+	return strings.EqualFold(req.Header.Get("X-Forwarded-Proto"), "https")
+}

internal/utils/request_security_test.go

@@ -0,0 +1,33 @@
+package utils
+
+import (
+	"crypto/tls"
+	"net/http/httptest"
+	"testing"
+)
+
+func TestIsSecureRequest_UsesTLSState(t *testing.T) {
+	req := httptest.NewRequest("GET", "/health", nil)
+	req.TLS = &tls.ConnectionState{}
+
+	if !IsSecureRequest(req) {
+		t.Fatal("expected request with TLS state to be secure")
+	}
+}
+
+func TestIsSecureRequest_UsesForwardedProtoCaseInsensitive(t *testing.T) {
+	req := httptest.NewRequest("GET", "/health", nil)
+	req.Header.Set("X-Forwarded-Proto", "HTTPS")
+
+	if !IsSecureRequest(req) {
+		t.Fatal("expected X-Forwarded-Proto=HTTPS to be secure")
+	}
+}
+
+func TestIsSecureRequest_ReturnsFalseForNonSecureRequest(t *testing.T) {
+	req := httptest.NewRequest("GET", "/health", nil)
+
+	if IsSecureRequest(req) {
+		t.Fatal("expected plain HTTP request to be non-secure")
+	}
+}