fix: eliminate 16 SonarCloud security hotspots (S2092/S3330)

Replace cookie-based auth state passing with server-rendered data attributes
on the consent page. This eliminates all non-HttpOnly and non-Secure cookie
patterns that SonarCloud flags as security hotspots.

Previously, the consent page handler set browser cookies (auth_method,
*_redirect_url) that JavaScript read on page load. Since JS needed access,
these cookies could not be HttpOnly — triggering S3330 hotspots. Cookie
deletion calls in callbacks used Secure=false/HttpOnly=false — triggering
both S2092 and S3330.

Now the Go handler passes AuthMethod and RedirectURL via gin.H template
context. The HTML template embeds these as data-* attributes on the Alpine.js
root element. JavaScript reads from this.$el.dataset instead of cookies.

Changes:
- endpoints_oauth.go: Replace 4 SetCookie calls with gin.H template data
- endpoints_saml.go: Remove 2 cookie deletion calls (no cookies to delete)
- endpoints_oidcrp.go: Remove 2 cookie deletion calls
- endpoints_users.go: Remove 4 cookie deletion calls
- consent.html: Add data-auth-method and data-redirect-url attributes
- consent.js: Read from data attributes, remove getCookie helper

Author: leifj

internal/apigw/httpserver/endpoints_oauth.go

@@ -170,10 +170,10 @@ func (s *Service) endpointOAuthAuthorizationConsent(ctx context.Context, c *gin.
 		return nil, err
 	}
 
-	// Set SameSite policy for consent cookies; Secure flag follows TLS configuration
-	c.SetSameSite(http.SameSiteLaxMode)
-	secureCookie := s.sessionsOptions.Secure
-	c.SetCookie("auth_method", authMethod, 900, "/authorization/consent", "", secureCookie, false)
+	// Collect template data for the consent page instead of setting cookies.
+	// This avoids non-HttpOnly cookies (S3330) since JavaScript reads auth state
+	// from data attributes embedded in the rendered HTML.
+	var redirectURL string
 
 	sessionID, ok := session.Get("session_id").(string)
 	if !ok {
@@ -193,7 +193,7 @@ func (s *Service) endpointOAuthAuthorizationConsent(ctx context.Context, c *gin.
 			return nil, err
 		}
 
-		c.SetCookie("pid_auth_redirect_url", reply.RedirectURL, 900, "/authorization/consent", "", secureCookie, false)
+		redirectURL = reply.RedirectURL
 		session.Set("verifier_context_id", reply.VerifierContextID)
 		if err := session.Save(); err != nil {
 			return nil, err
@@ -226,7 +226,7 @@ func (s *Service) endpointOAuthAuthorizationConsent(ctx context.Context, c *gin.
 			return nil, err
 		}
 
-		c.SetCookie("saml_redirect_url", authReq.RedirectURL, 900, "/authorization/consent", "", secureCookie, false)
+		redirectURL = authReq.RedirectURL
 	}
 
 	if authMethod == model.AuthMethodOIDC {
@@ -249,10 +249,13 @@ func (s *Service) endpointOAuthAuthorizationConsent(ctx context.Context, c *gin.
 			return nil, err
 		}
 
-		c.SetCookie("oidc_redirect_url", authReq.AuthorizationURL, 900, "/authorization/consent", "", secureCookie, false)
+		redirectURL = authReq.AuthorizationURL
 	}
 
-	c.HTML(http.StatusOK, "consent.html", nil)
+	c.HTML(http.StatusOK, "consent.html", gin.H{
+		"AuthMethod":  authMethod,
+		"RedirectURL": redirectURL,
+	})
 	return nil, nil
 }
 func (s *Service) endpointOAuthAuthorizationConsentCallback(ctx context.Context, c *gin.Context) (any, error) {

internal/apigw/httpserver/endpoints_oidcrp.go

@@ -96,9 +96,6 @@ func (s *Service) endpointOIDCRPCallback(ctx context.Context, c *gin.Context) (a
 
 	// VCI mode: redirect browser back to consent page
 	if reply != nil && reply.VCIRedirectURL != "" {
-		// Clean up auth cookies before redirect
-		c.SetCookie("auth_method", "", -1, "/authorization/consent", "", false, false)
-		c.SetCookie("oidc_redirect_url", "", -1, "/authorization/consent", "", false, false)
 		c.Redirect(http.StatusFound, reply.VCIRedirectURL)
 		return nil, nil
 	}

internal/apigw/httpserver/endpoints_saml.go

@@ -223,10 +223,6 @@ func (s *Service) endpointSAMLACS(ctx context.Context, c *gin.Context) (any, err
 		err = nil
 		s.samlSPService.DeleteSession(ctx, relayState)
 
-		// Clean up auth cookies before redirect
-		c.SetCookie("auth_method", "", -1, "/authorization/consent", "", false, false)
-		c.SetCookie("saml_redirect_url", "", -1, "/authorization/consent", "", false, false)
-
 		// Redirect browser back to the consent page to continue the VCI flow
 		c.Redirect(http.StatusFound, "/authorization/consent/#/credentials")
 		return nil, nil

internal/apigw/httpserver/endpoints_users.go

@@ -207,12 +207,6 @@ func (s *Service) endpointUserCancel(ctx context.Context, c *gin.Context) (any,
 		return nil, err
 	}
 
-	// Delete all cookies, not just session.
-	c.SetCookie("auth_method", "", -1, "/authorization/consent", "", false, false)
-	c.SetCookie("pid_auth_redirect_url", "", -1, "/authorization/consent", "", false, false)
-	c.SetCookie("oidc_redirect_url", "", -1, "/authorization/consent", "", false, false)
-	c.SetCookie("saml_redirect_url", "", -1, "/authorization/consent", "", false, false)
-
 	client, ok := s.cfg.APIGW.OauthServer.Clients[clientId]
 	if !ok {
 		err := errors.New("invalid client_id")

internal/apigw/staticembed/consent.html

@@ -63,7 +63,7 @@
     <link rel="icon" href="/static/favicon.png" type="image/png">
 </head>
 <body class="content-fade-in-appear-done content-fade-in-enter-done">
-<section class="flex-grow flex flex-col items-center justify-center bg-gray-100 dark:bg-gray-900 min-h-dvh flex flex-col" x-data="app">
+<section class="flex-grow flex flex-col items-center justify-center bg-gray-100 dark:bg-gray-900 min-h-dvh flex flex-col" x-data="app" data-auth-method="{{.AuthMethod}}" data-redirect-url="{{.RedirectURL}}">
     <div class="w-full flex flex-col items-center gap-7 px-6 py-8 text-black dark:text-white max-w-lg p-8">
         <a href="https://www.sunet.se" target="_blank" rel="noopener noreferrer">
             <img src="/static/logo.png" alt="Sunet" style="height: 48px;">

internal/apigw/staticembed/consent.js

@@ -39,20 +39,6 @@ const UserDataSchema = v.required(v.object({
     redirect_url: v.string(),
 }));
 
-/**
- * @param {string} name 
- * @returns {string | null}
- */
-function getCookie(name) {
-    return document.cookie
-        .split(";")
-        .find((cookie) =>
-            cookie.trim().startsWith(`${name}=`),
-        )
-        ?.split("=")
-        .pop() || null;
-}
-
 /**
  * @param {string} key 
  * @returns {string}
@@ -143,7 +129,7 @@ Alpine.data("app", () => ({
     },
 
     setAuthMethod() {
-        const authMethod = getCookie("auth_method");
+        const authMethod = this.$el.dataset.authMethod || null;
         const validMethods = ["basic", "pid_auth", "saml", "oidc"];
 
         if (!authMethod || !validMethods.includes(authMethod)) {
@@ -226,9 +212,9 @@ Alpine.data("app", () => ({
     },
 
     handleLoginSAML() {
-        const rawRedirectUrl = getCookie("saml_redirect_url");
+        const rawRedirectUrl = this.$el.dataset.redirectUrl || null;
         if (!rawRedirectUrl) {
-            this.error = "Missing 'saml_redirect_url' cookie";
+            this.error = "Missing SAML redirect URL";
             return;
         }
         try {
@@ -240,9 +226,9 @@ Alpine.data("app", () => ({
     },
 
     handleLoginOIDC() {
-        const rawRedirectUrl = getCookie("oidc_redirect_url");
+        const rawRedirectUrl = this.$el.dataset.redirectUrl || null;
         if (!rawRedirectUrl) {
-            this.error = "Missing 'oidc_redirect_url' cookie";
+            this.error = "Missing OIDC redirect URL";
             return;
         }
         try {
@@ -257,9 +243,9 @@ Alpine.data("app", () => ({
      * @param {boolean} immediate - Immediately proceed to 'redirect_uri'
      */
     handleLoginPidAuth(immediate = false) {
-        const rawRedirectUrl = getCookie("pid_auth_redirect_url");
+        const rawRedirectUrl = this.$el.dataset.redirectUrl || null;
         if (!rawRedirectUrl) {
-            this.error = "Missing 'pid_auth_redirect_url' cookie";
+            this.error = "Missing PID auth redirect URL";
             return;
         }