apunkt/gomcp
1
0
Fork 0
mirror of https://github.com/syntrex-lab/gomcp.git synced 2026-04-25 04:16:22 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix(auth): comprehensive sync of cookie-based sessions across register, verify, and middleware

Browse source
This commit is contained in:
DmitrL-dev 2026-03-27 18:42:54 +10:00
parent 9abdd86540
commit 577fa9400a
1 changed files with 24 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

26
internal/infrastructure/auth/tenant_handlers.go
View file

@ -180,12 +180,30 @@ func HandleVerifyEmail(userStore *UserStore, tenantStore *TenantStore, jwtSecret
tenant, _ = tenantStore.GetTenant(tenantID) tenant, _ = tenantStore.GetTenant(tenantID)
} }
// SEC: H1 - Use httpOnly Cookies instead of returning JSON tokens
http.SetCookie(w, &http.Cookie{
Name: "syntrex_token",
Value: accessToken,
Path: "/",
HttpOnly: true,
SameSite: http.SameSiteLaxMode,
MaxAge: 900,
})
http.SetCookie(w, &http.Cookie{
Name: "syntrex_refresh",
Value: refreshToken,
Path: "/",
HttpOnly: true,
SameSite: http.SameSiteLaxMode,
MaxAge: 7 * 24 * 3600,
})
// SEC: M2 - Generate stateless CSRF token
csrfToken := hmacSign([]byte(accessToken), jwtSecret)[:32]
w.Header().Set("Content-Type", "application/json") w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(map[string]interface{}{ json.NewEncoder(w).Encode(map[string]interface{}{
"access_token": accessToken, "csrf_token": csrfToken,
"refresh_token": refreshToken,
"expires_in": 900,
"token_type": "Bearer",
"user": user, "user": user,
"tenant": tenant, "tenant": tenant,
}) })