fix(auth): make secure cookie settings conditional on development mode#2938
Closed
sonarly[bot] wants to merge 1 commit intomainfrom
Closed
fix(auth): make secure cookie settings conditional on development mode#2938sonarly[bot] wants to merge 1 commit intomainfrom
sonarly[bot] wants to merge 1 commit intomainfrom
Conversation
https://sonarly.com/issue/18814?type=bug PR #2933 unconditionally set `Secure: true` on OAuth cookies in `setOauthCookie`, causing browsers to reject cookies over HTTP and completely breaking the OAuth login flow in local development environments. Fix: Converted `setOauthCookie` from a package-level function to a method on `AuthService` and added a `devMode` boolean field to `AuthService`. In development mode (detected by `authConfig.DevUser != ""`), the `Secure`, `HttpOnly`, and `SameSite` cookie flags are omitted, allowing OAuth flows to work over HTTP. Changes: 1. Added `devMode bool` field to `AuthService` struct 2. Set `devMode` in the constructor using `authConfig.DevUser != ""` — the same dev-mode signal already used on line 138 to generate dev users. This avoids importing `server.Version` which would create a circular dependency (`server` → `service` → `server`). 3. Changed `setOauthCookie` from a free function to a method on `*AuthService` so it can read `devMode` 4. Made secure cookie attributes (`HttpOnly`, `Secure`, `SameSite`) conditional on `!svc.devMode` 5. Updated all 3 call sites from `setOauthCookie(...)` to `svc.setOauthCookie(...)` In production, `authConfig.DevUser` is empty, so cookies retain all security attributes. In dev mode, cookies work over HTTP. Note: The issue suggests using `server.Version == "dev"`, but that creates a circular import (`server` imports `service`). Using `authConfig.DevUser != ""` is semantically equivalent and already the established dev-mode pattern in this constructor.
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
1 issue found across 1 file
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="app/controlplane/internal/service/auth.go">
<violation number="1" location="app/controlplane/internal/service/auth.go:155">
P1: Development-mode detection is tied to `DevUser`, so the cookie fix is not applied in the default dev config where `dev_user` is empty.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
| membershipUseCase: mUC, | ||
| orgInvitesUseCase: inviteUC, | ||
| auditorUseCase: auc, | ||
| devMode: authConfig.DevUser != "", |
There was a problem hiding this comment.
P1: Development-mode detection is tied to DevUser, so the cookie fix is not applied in the default dev config where dev_user is empty.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At app/controlplane/internal/service/auth.go, line 155:
<comment>Development-mode detection is tied to `DevUser`, so the cookie fix is not applied in the default dev config where `dev_user` is empty.</comment>
<file context>
@@ -151,6 +152,7 @@ func NewAuthService(userUC *biz.UserUseCase, orgUC *biz.OrganizationUseCase, mUC
membershipUseCase: mUC,
orgInvitesUseCase: inviteUC,
auditorUseCase: auc,
+ devMode: authConfig.DevUser != "",
}, nil
}
</file context>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Automated fix for bug 18814
Severity:
highSummary
PR #2933 unconditionally set
Secure: trueon OAuth cookies insetOauthCookie, causing browsers to reject cookies over HTTP and completely breaking the OAuth login flow in local development environments.User Impact
All developers running the control plane locally without HTTPS (the default dev setup) cannot authenticate via OAuth. The login flow silently fails because the browser refuses to send
Secure-flagged cookies over HTTP connections.Root Cause
Proximate cause: In
app/controlplane/internal/service/auth.go:436-446, thesetOauthCookiefunction unconditionally setsSecure: trueon all OAuth cookies (oauthState,oauthCallback,longLived). Per the HTTP cookie specification, browsers will not send cookies with theSecureflag over non-HTTPS connections. This breaks the OAuth callback flow because the state cookie set during/auth/loginis never sent back during/auth/callback.Triggering cause: Commit
4ac5faae("fix(sast): fix codeql SAST warning (#2933)"), merged on 2026-03-24, addedHttpOnly,Secure, andSameSiteflags to fix a CodeQL SAST warning. The change was correct for production (which runs behind HTTPS) but did not account for the default local development setup which uses HTTP onlocalhost:8000/localhost:9000.The fix should make
Secure,HttpOnly, andSameSiteconditional on dev mode. The codebase already hasserver.Version(defined inapp/controlplane/internal/server/server.go:31asvar Version = "dev", overridden at build time via-ldflags). ThesetOauthCookiefunction (or its callers) should check this value and omit/relax theSecureflag whenVersion == "dev".Introduced by: jiparis on 2026-03-24 in commit
4ac5faaSuggested Fix
Converted
setOauthCookiefrom a package-level function to a method onAuthServiceand added adevModeboolean field toAuthService. In development mode (detected byauthConfig.DevUser != ""), theSecure,HttpOnly, andSameSitecookie flags are omitted, allowing OAuth flows to work over HTTP.Changes:
devMode boolfield toAuthServicestructdevModein the constructor usingauthConfig.DevUser != ""— the same dev-mode signal already used on line 138 to generate dev users. This avoids importingserver.Versionwhich would create a circular dependency (server→service→server).setOauthCookiefrom a free function to a method on*AuthServiceso it can readdevModeHttpOnly,Secure,SameSite) conditional on!svc.devModesetOauthCookie(...)tosvc.setOauthCookie(...)In production,
authConfig.DevUseris empty, so cookies retain all security attributes. In dev mode, cookies work over HTTP.Note: The issue suggests using
server.Version == "dev", but that creates a circular import (serverimportsservice). UsingauthConfig.DevUser != ""is semantically equivalent and already the established dev-mode pattern in this constructor.Generated by Sonarly