Harden session cookie security with configurable cookie flags

2026-04-09 21:43:32 +02:00
parent 208f98dc97
commit 4043cdfa3c
4 changed files with 41 additions and 3 deletions
--- a/backend/tests/test_routers/test_auth.py
+++ b/backend/tests/test_routers/test_auth.py
@@ -66,6 +66,22 @@ class TestLogin:
        assert response.status_code == 200
        assert "bangui_session" in response.cookies
        assert "." in response.cookies["bangui_session"]
+        set_cookie = response.headers.get("set-cookie", "")
+        assert "HttpOnly" in set_cookie
+        assert "SameSite=lax" in set_cookie
+
+    async def test_login_sets_secure_cookie_when_enabled(
+        self, client: AsyncClient
+    ) -> None:
+        """Login sets the Secure flag when session cookies are configured for HTTPS."""
+        client._transport.app.state.settings.session_cookie_secure = True
+        await _do_setup(client)
+        response = await client.post(
+            "/api/auth/login", json={"password": "mysecretpass1"}
+        )
+        assert response.status_code == 200
+        set_cookie = response.headers.get("set-cookie", "")
+        assert "Secure" in set_cookie

    async def test_login_fails_with_wrong_password(
        self, client: AsyncClient