#1: fix redirect issue with passkey

remove hard-coded cookie names

services/dev/handlers.go

@@ -4,6 +4,7 @@ import (
 	"net/http"
 
 	"github.com/datasektionen/logout/pkg/httputil"
+	"github.com/datasektionen/logout/services/user/auth"
 )
 
 func (s *service) login(w http.ResponseWriter, r *http.Request) httputil.ToResponse {
@@ -19,7 +20,7 @@ func (s *service) login(w http.ResponseWriter, r *http.Request) httputil.ToRespo
 		return err
 	}
 	http.SetCookie(w, &http.Cookie{
-		Name:  "session",
+		Name:  auth.SessionCookieName,
 		Value: sessionID.String(),
 		Path:  "/",
 	})

services/passkey/handlers.go

@@ -8,6 +8,7 @@ import (
 	"github.com/datasektionen/logout/pkg/database"
 	"github.com/datasektionen/logout/pkg/httputil"
 	"github.com/datasektionen/logout/services/passkey/export"
+	"github.com/datasektionen/logout/services/user/auth"
 	"github.com/go-webauthn/webauthn/protocol"
 	"github.com/go-webauthn/webauthn/webauthn"
 	"github.com/google/uuid"
@@ -40,8 +41,8 @@ func (s *service) beginLoginPasskey(w http.ResponseWriter, r *http.Request) http
 
 func (s *service) finishLoginPasskey(w http.ResponseWriter, r *http.Request) httputil.ToResponse {
 	var body struct {
-		KTHID string `json:"kthid"`
-		Cred protocol.CredentialAssertionResponse `json:"cred"`
+		KTHID string                               `json:"kthid"`
+		Cred  protocol.CredentialAssertionResponse `json:"cred"`
 	}
 	if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
 		return httputil.BadRequest("Invalid credential")
@@ -67,7 +68,15 @@ func (s *service) finishLoginPasskey(w http.ResponseWriter, r *http.Request) htt
 	if err != nil {
 		return err
 	}
-	return s.user.LoginUser(r.Context(), user.KTHID)
+
+	sessionID, err := s.db.CreateSession(r.Context(), user.KTHID)
+	if err != nil {
+		return err
+	}
+
+	http.SetCookie(w, auth.SessionCookie(sessionID.String()))
+
+	return nil
 }
 
 // ---

services/passkey/passkey.templ

@@ -25,7 +25,6 @@ templ passkeyLogin(kthid string, credAss *protocol.CredentialAssertion) {
 				for (let ac of credAss.publicKey.allowCredentials) {
 					ac.id = decodebase64url(ac.id);
 				}
-				console.log(credAss);
 				event.preventDefault();
 				try {
 					let cred = await navigator.credentials.get(credAss);

services/static/public/hx-clone.js

@@ -7,7 +7,6 @@ htmx.defineExtension('clone', {
                 const get = evt.detail.elt.getAttribute('hx-get')
                 if (get && get.startsWith('clone-template#')) {
                     const selector = get.substring(15)
-                    //console.log('htmx-clone: Intercepting xhr request to inject template with selector:', selector)
                     const template = document.querySelector(selector)
                     let templateContent = ''
                     if (!template) {

services/user/auth/auth.go

@@ -0,0 +1,16 @@
+package auth
+
+import "net/http"
+
+const SessionCookieName string = "_logout_session"
+
+func SessionCookie(sessionID string) *http.Cookie {
+	return &http.Cookie{
+		Name:     SessionCookieName,
+		Value:    sessionID,
+		Path:     "/",
+		HttpOnly: true,
+		Secure:   true,
+		SameSite: http.SameSiteLaxMode,
+	}
+}

services/user/handlers.go

@@ -13,14 +13,16 @@ import (
 	"github.com/jackc/pgx/v5"
 )
 
+const nextUrlCookie string = "_logout_next-url"
+
 func (s *service) index(w http.ResponseWriter, r *http.Request) httputil.ToResponse {
 	returnURL := r.FormValue("next-url")
 	if returnURL != "" && returnURL[0] != '/' {
 		return httputil.BadRequest("Invalid return url")
 	}
 	hasCookie := false
 	if returnURL == "" {
-		c, _ := r.Cookie("next-url")
+		c, _ := r.Cookie(nextUrlCookie)
 		if c != nil {
 			returnURL = c.Value
 			hasCookie = true
@@ -33,14 +35,14 @@ func (s *service) index(w http.ResponseWriter, r *http.Request) httputil.ToRespo
 		return err
 	} else if kthid != "" {
 		if hasCookie {
-			http.SetCookie(w, &http.Cookie{Name: "next-url", MaxAge: -1})
+			http.SetCookie(w, &http.Cookie{Name: nextUrlCookie, MaxAge: -1})
 		}
 		http.Redirect(w, r, returnURL, http.StatusSeeOther)
 		return nil
 	}
 	if returnURL != "" {
 		http.SetCookie(w, &http.Cookie{
-			Name:     "next-url",
+			Name:     nextUrlCookie,
 			Value:    returnURL,
 			MaxAge:   int((time.Minute * 10).Seconds()),
 			Secure:   true,

services/user/user.go

@@ -9,6 +9,7 @@ import (
 	"github.com/datasektionen/logout/pkg/httputil"
 	dev "github.com/datasektionen/logout/services/dev/export"
 	passkey "github.com/datasektionen/logout/services/passkey/export"
+	"github.com/datasektionen/logout/services/user/auth"
 	"github.com/datasektionen/logout/services/user/export"
 	"github.com/google/uuid"
 	"github.com/jackc/pgx/v5"
@@ -70,20 +71,13 @@ func (s *service) LoginUser(ctx context.Context, kthid string) httputil.ToRespon
 		return err
 	}
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		http.SetCookie(w, &http.Cookie{
-			Name:     "session",
-			Value:    sessionID.String(),
-			Path:     "/",
-			HttpOnly: true,
-			Secure:   true,
-			SameSite: http.SameSiteLaxMode,
-		})
+		http.SetCookie(w, auth.SessionCookie(sessionID.String()))
 		http.Redirect(w, r, "/", http.StatusSeeOther)
 	})
 }
 
 func (s *service) GetLoggedInKTHID(r *http.Request) (string, error) {
-	sessionCookie, _ := r.Cookie("session")
+	sessionCookie, _ := r.Cookie(auth.SessionCookieName)
 	if sessionCookie == nil {
 		return "", nil
 	}
@@ -113,7 +107,7 @@ func (s *service) GetLoggedInUser(r *http.Request) (*export.User, error) {
 }
 
 func (s *service) Logout(w http.ResponseWriter, r *http.Request) httputil.ToResponse {
-	sessionCookie, _ := r.Cookie("session")
+	sessionCookie, _ := r.Cookie(auth.SessionCookieName)
 	if sessionCookie != nil {
 		sessionID, err := uuid.Parse(sessionCookie.Value)
 		if err != nil {
@@ -122,7 +116,7 @@ func (s *service) Logout(w http.ResponseWriter, r *http.Request) httputil.ToResp
 			}
 		}
 	}
-	http.SetCookie(w, &http.Cookie{Name: "session", MaxAge: -1})
+	http.SetCookie(w, &http.Cookie{Name: auth.SessionCookieName, MaxAge: -1})
 	http.Redirect(w, r, "/", http.StatusSeeOther)
 	return nil
 }