feat: improve defaults for new cookies

Author: innocenzi

packages/http/src/Cookie/CookieManager.php

@@ -29,7 +29,12 @@ public function get(string $key): ?Cookie
 
     public function set(string $key, string $value, DateTimeInterface|int|null $expiresAt = null): Cookie
     {
-        $cookie = $this->get($key) ?? new Cookie(key: $key);
+        $cookie = $this->get($key) ?? new Cookie(
+            key: $key,
+            secure: true,
+            httpOnly: true,
+            sameSite: SameSite::LAX,
+        );
 
         $cookie->value = $value;
         $cookie->expiresAt = $expiresAt ?? $cookie->expiresAt;

packages/http/src/Cookie/SameSite.php

@@ -4,9 +4,25 @@
 
 namespace Tempest\Http\Cookie;
 
+/**
+ * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#samesitesamesite-value
+ */
 enum SameSite: string
 {
+    /**
+     * Send the cookie only for requests originating from the same site that set the cookie.
+     */
     case STRICT = 'Strict';
+
+    /**
+     * Send the cookie for requests originating from the same site that set the cookie, and for cross-site requests that meet both of the following criteria:
+     * - The request is a top-level navigation: this essentially means that the request causes the URL shown in the browser's address bar to change.
+     * - The request uses a safe method: in particular, this excludes `POST`, `PUT`, and `DELETE`.
+     */
     case LAX = 'Lax';
+
+    /**
+     * Send the cookie with both cross-site and same-site requests. The `Secure` attribute must also be set when using this value.
+     */
     case NONE = 'None';
 }

tests/Integration/Http/CookieManagerTest.php

@@ -32,7 +32,7 @@ public function test_creating_a_cookie(): void
         $this->http
             ->get('/')
             ->assertOk()
-            ->assertHeaderContains('set-cookie', 'new=value');
+            ->assertHeaderContains('set-cookie', 'new=value; Secure; HttpOnly; SameSite=Lax');
     }
 
     public function test_removing_a_cookie(): void