Commit 3ec4b6a
fix(low): assert Secure/SameSite + clear scope on auth cookies (L8)
Background: set_auth_cookies sets httponly+secure+samesite (config-driven), but
the auth-endpoint tests only asserted HttpOnly. A config/refactor that dropped
Secure or SameSite — or set samesite='none' without secure, which browsers
reject — would have failed no test, silently weakening session-cookie security.
Fix: no production change. Add two unit tests exercising the cookie helper
directly with prod-shaped settings monkeypatched in (the dev defaults leave
Secure off): one asserts set_auth_cookies emits HttpOnly + Secure + SameSite +
the right Domain/Path on both cookies; one asserts clear_auth_cookies deletes
with the SAME path/domain (otherwise the browser keeps the original cookie and
the user stays signed in) and actually expires them.
Test: new tests pass; full test_backend_auth.py suite green (7 tests).
Fixes: L8
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>1 parent 064532c commit 3ec4b6a
1 file changed
Lines changed: 74 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
223 | 223 | | |
224 | 224 | | |
225 | 225 | | |
| 226 | + | |
| 227 | + | |
| 228 | + | |
| 229 | + | |
| 230 | + | |
| 231 | + | |
| 232 | + | |
| 233 | + | |
| 234 | + | |
| 235 | + | |
| 236 | + | |
| 237 | + | |
| 238 | + | |
| 239 | + | |
| 240 | + | |
| 241 | + | |
| 242 | + | |
| 243 | + | |
| 244 | + | |
| 245 | + | |
| 246 | + | |
| 247 | + | |
| 248 | + | |
| 249 | + | |
| 250 | + | |
| 251 | + | |
| 252 | + | |
| 253 | + | |
| 254 | + | |
| 255 | + | |
| 256 | + | |
| 257 | + | |
| 258 | + | |
| 259 | + | |
| 260 | + | |
| 261 | + | |
| 262 | + | |
| 263 | + | |
| 264 | + | |
| 265 | + | |
| 266 | + | |
| 267 | + | |
| 268 | + | |
| 269 | + | |
| 270 | + | |
| 271 | + | |
| 272 | + | |
| 273 | + | |
| 274 | + | |
| 275 | + | |
| 276 | + | |
| 277 | + | |
| 278 | + | |
| 279 | + | |
| 280 | + | |
| 281 | + | |
| 282 | + | |
| 283 | + | |
| 284 | + | |
| 285 | + | |
| 286 | + | |
| 287 | + | |
| 288 | + | |
| 289 | + | |
| 290 | + | |
| 291 | + | |
| 292 | + | |
| 293 | + | |
| 294 | + | |
| 295 | + | |
| 296 | + | |
| 297 | + | |
| 298 | + | |
| 299 | + | |
0 commit comments