fix: secure session handling and landing page redirect

Author: Vasist10

backend/controllers/app_handlers.go

@@ -52,7 +52,7 @@ func (a *App) OAuthHandler(w http.ResponseWriter, r *http.Request) {
 	// Store state in session for validation in callback
 	session, _ := a.SessionStore.Get(r, "session-name")
 	session.Values["oauth_state"] = state
-	if err := session.Save(r, w); err != nil {
+	if err := utils.SaveSessionWithSecureCookie(session, r, w); err != nil {
 		utils.Logger.Errorf("Failed to save OAuth state to session: %v", err)
 		http.Error(w, "Internal server error", http.StatusInternalServerError)
 		return
@@ -125,7 +125,7 @@ func (a *App) OAuthCallbackHandler(w http.ResponseWriter, r *http.Request) {
 	userInfo["uuid"] = uuidStr
 	userInfo["encryption_secret"] = encryptionSecret
 	session.Values["user"] = userInfo
-	if err := session.Save(r, w); err != nil {
+	if err := utils.SaveSessionWithSecureCookie(session, r, w); err != nil {
 		utils.Logger.Errorf("Failed to save session: %v", err)
 		http.Error(w, "Session error", http.StatusInternalServerError)
 		return
@@ -221,7 +221,7 @@ func (a *App) EnableCORS(handler http.Handler) http.Handler {
 func (a *App) LogoutHandler(w http.ResponseWriter, r *http.Request) {
 	session, _ := a.SessionStore.Get(r, "session-name")
 	session.Options.MaxAge = -1
-	if err := session.Save(r, w); err != nil {
+	if err := utils.SaveSessionWithSecureCookie(session, r, w); err != nil {
 		utils.Logger.Errorf("Failed to clear session on logout: %v", err)
 		http.Error(w, "Logout failed", http.StatusInternalServerError)
 		return

backend/main.go

@@ -84,10 +84,10 @@ func main() {
 	// Configure secure cookie options
 	store.Options = &sessions.Options{
 		Path:     "/",
-		MaxAge:   86400 * 7,                        // 7 days
-		HttpOnly: true,                             // Prevent JavaScript access
-		Secure:   os.Getenv("ENV") == "production", // HTTPS only in production
-		SameSite: http.SameSiteLaxMode,             // CSRF protection (Lax allows OAuth redirects)
+		MaxAge:   86400 * 30,           // 30 days
+		HttpOnly: true,                 // Prevent JavaScript access
+		Secure:   false,                // Handled dynamically by SaveSessionWithSecureCookie / IsSecure
+		SameSite: http.SameSiteLaxMode, // CSRF protection (Lax allows OAuth redirects)
 	}
 
 	gob.Register(map[string]interface{}{})

backend/middleware/auth.go

@@ -51,6 +51,11 @@ func AuthMiddleware(store *sessions.CookieStore) func(http.Handler) http.Handler
 				return
 			}
 
+			// Inject session credentials into headers for GET requests
+			r.Header.Set("X-User-Email", sessionEmail)
+			r.Header.Set("X-User-UUID", sessionUUID)
+			r.Header.Set("X-Encryption-Secret", sessionSecret)
+
 			// For POST requests with JSON body, inject session credentials
 			if r.Method == http.MethodPost && r.Body != nil {
 				// Read the body

backend/utils/session.go

@@ -0,0 +1,22 @@
+package utils
+
+import (
+	"net/http"
+
+	"github.com/gorilla/sessions"
+)
+
+func IsSecure(r *http.Request) bool {
+	if r.TLS != nil {
+		return true
+	}
+	return r.Header.Get("X-Forwarded-Proto") == "https"
+}
+
+func SaveSessionWithSecureCookie(session *sessions.Session, r *http.Request, w http.ResponseWriter) error {
+	original := session.Options.Secure
+	session.Options.Secure = IsSecure(r)
+	err := session.Save(r, w)
+	session.Options.Secure = original
+	return err
+}

frontend/src/components/LandingPage.tsx

@@ -8,7 +8,31 @@ import { ScrollToTop } from '../components/utils/ScrollToTop';
 import { Contact } from './LandingComponents/Contact/Contact';
 import '../App.css';
 
+import { useEffect } from 'react';
+import { useNavigate } from 'react-router-dom';
+import { url } from './utils/URLs';
+
 export const LandingPage = () => {
+  const navigate = useNavigate();
+
+  useEffect(() => {
+    const checkLoginStatus = async () => {
+      try {
+        const response = await fetch(url.backendURL + 'api/user', {
+          method: 'GET',
+          credentials: 'include',
+        });
+        if (response.ok) {
+          navigate('/home');
+        }
+      } catch (error) {
+        console.error('Error checking login status:', error);
+      }
+    };
+
+    checkLoginStatus();
+  }, [navigate]);
+
   return (
     <div className="overflow-x-hidden">
       <Navbar />

frontend/src/components/__tests__/LandingPage.test.tsx

@@ -1,4 +1,5 @@
 import { render, screen } from '@testing-library/react';
+import { BrowserRouter } from 'react-router-dom';
 import { LandingPage } from '../LandingPage';
 
 // Mock dependencies
@@ -27,9 +28,25 @@ jest.mock('../../components/utils/ScrollToTop', () => ({
   ScrollToTop: () => <div>Mocked ScrollToTop</div>,
 }));
 
+// Mock fetch for auth check
+global.fetch = jest.fn(() =>
+  Promise.resolve({
+    ok: false,
+    status: 401,
+  } as Response)
+);
+
 describe('LandingPage', () => {
+  beforeEach(() => {
+    jest.clearAllMocks();
+  });
+
   it('renders all components correctly', () => {
-    render(<LandingPage />);
+    render(
+      <BrowserRouter>
+        <LandingPage />
+      </BrowserRouter>
+    );
 
     expect(screen.getByText('Mocked Navbar')).toBeInTheDocument();
     expect(screen.getByText('Mocked Hero')).toBeInTheDocument();
@@ -44,7 +61,11 @@ describe('LandingPage', () => {
 
 describe('LandingPage Component using Snapshot', () => {
   it('renders landing page correctly', () => {
-    const { asFragment } = render(<LandingPage />);
+    const { asFragment } = render(
+      <BrowserRouter>
+        <LandingPage />
+      </BrowserRouter>
+    );
     expect(asFragment()).toMatchSnapshot('landing-page');
   });
 });