Skip to content

fix(auth): make secure cookie settings conditional on development mode #2938

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
sonarly wants to merge 1 commit into from
+20 −13
Closed

fix(auth): make secure cookie settings conditional on development mode #2938

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 20 additions & 13 deletions app/controlplane/internal/service/auth.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,6 +114,7 @@ type AuthService struct {
orgInvitesUseCase *biz.OrgInvitationUseCase
AuthURLs *AuthURLs
auditorUseCase *biz.AuditorUseCase
devMode bool
}

func NewAuthService(userUC *biz.UserUseCase, orgUC *biz.OrganizationUseCase, mUC *biz.MembershipUseCase, inviteUC *biz.OrgInvitationUseCase, authConfig *conf.Auth, serverConfig *conf.Server, auc *biz.AuditorUseCase, opts ...NewOpt) (*AuthService, error) {
Expand Down Expand Up @@ -151,6 +152,7 @@ func NewAuthService(userUC *biz.UserUseCase, orgUC *biz.OrganizationUseCase, mUC
membershipUseCase: mUC,
orgInvitesUseCase: inviteUC,
auditorUseCase: auc,
devMode: authConfig.DevUser != "",
Copy link
Copy Markdown

@cubic-dev-ai cubic-dev-ai bot Mar 26, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1: Development-mode detection is tied to DevUser, so the cookie fix is not applied in the default dev config where dev_user is empty.

Prompt for AI agents 
Check if this issue is valid — if so, understand the root cause and fix it. At app/controlplane/internal/service/auth.go, line 155:

<comment>Development-mode detection is tied to `DevUser`, so the cookie fix is not applied in the default dev config where `dev_user` is empty.</comment>

<file context>
@@ -151,6 +152,7 @@ func NewAuthService(userUC *biz.UserUseCase, orgUC *biz.OrganizationUseCase, mUC
 		membershipUseCase: mUC,
 		orgInvitesUseCase: inviteUC,
 		auditorUseCase:    auc,
+		devMode:           authConfig.DevUser != "",
 	}, nil
 }
</file context>
Fix with Cubic

}, nil
}

Expand Down Expand Up @@ -223,13 +225,13 @@ func loginHandler(svc *AuthService, w http.ResponseWriter, r *http.Request) *oau

// Store a random string to check it in the oauth callback
state := base64.URLEncoding.EncodeToString(b)
setOauthCookie(w, cookieOauthStateName, state)
svc.setOauthCookie(w, cookieOauthStateName, state)

// Store the final destination where the auth token will be pushed to, i.e the CLI
setOauthCookie(w, cookieCallback, r.URL.Query().Get(oauth.QueryParamCallback))
svc.setOauthCookie(w, cookieCallback, r.URL.Query().Get(oauth.QueryParamCallback))

// Wether the token should be short lived or not
setOauthCookie(w, cookieLongLived, r.URL.Query().Get(oauth.QueryParamLongLived))
svc.setOauthCookie(w, cookieLongLived, r.URL.Query().Get(oauth.QueryParamLongLived))

authorizationURI := svc.authenticator.AuthCodeURL(state)

Expand Down Expand Up @@ -433,16 +435,21 @@ func generateUserJWT(userID, passphrase string, expiration time.Duration) (strin
return b.GenerateJWT(userID)
}

func setOauthCookie(w http.ResponseWriter, name, value string) {
http.SetCookie(w, &http.Cookie{
Name: name,
Value: value,
Path: "/",
Expires: time.Now().Add(10 * time.Minute),
HttpOnly: true,
Secure: true,
SameSite: http.SameSiteLaxMode,
})
func (svc *AuthService) setOauthCookie(w http.ResponseWriter, name, value string) {
c := &http.Cookie{
Name: name,
Value: value,
Path: "/",
Expires: time.Now().Add(10 * time.Minute),
}

if !svc.devMode {
c.HttpOnly = true
c.Secure = true
c.SameSite = http.SameSiteLaxMode
}

http.SetCookie(w, c)
}

func generateAndLogDevUser(userUC *biz.UserUseCase, log *log.Helper, authConfig *conf.Auth) error {
Expand Down
Loading