imacat/lucia-frontend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add Secure and SameSite=Lax flags to all cookie operations

Browse Source 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
依瑪貓
2026-03-06 07:51:14 +08:00
parent 64832bb5f9
commit 954b41b555
5 changed files with 84 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
tests/stores/login.test.js
View File

@@ -56,7 +56,23 @@ describe('loginStore', () => {
}),
);
expect(store.isLoggedIn).toBe(true);
expect(document.cookie).toContain('luciaToken=test-access-token');
// Verify token cookie was set with Secure flag
// (jsdom drops Secure cookies, so spy on setter)
const cookieSetter = vi.spyOn(document, 'cookie', 'set');
vi.clearAllMocks();
axios.post.mockResolvedValue({
data: {
access_token: 'test-access-token',
refresh_token: 'test-refresh-token',
},
});
await store.signIn();
const tokenCall = cookieSetter.mock.calls.find(
(c) => c[0].includes('luciaToken='),
);
expect(tokenCall).toBeDefined();
expect(tokenCall[0]).toContain('Secure');
cookieSetter.mockRestore();
expect(store.$router.push).toHaveBeenCalledWith('/files');
});
@@ -173,6 +189,25 @@ describe('loginStore', () => {
// Should update axios default Authorization header
expect(axios.defaults.headers.common['Authorization'])
.toBe('Bearer new-access-token');
// Verify cookies were set with Secure flag
const cookieSetter = vi.spyOn(document, 'cookie', 'set');
vi.clearAllMocks();
document.cookie = 'luciaRefreshToken=old-refresh-token';
axios.post.mockResolvedValue({
status: 200,
data: {
access_token: 'new-access-token',
refresh_token: 'new-refresh-token',
},
});
await store.refreshToken();
const tokenCall = cookieSetter.mock.calls.find(
(c) => c[0].includes('luciaToken='),
);
expect(tokenCall).toBeDefined();
expect(tokenCall[0]).toContain('Secure');
cookieSetter.mockRestore();
});
it('redirects to login and re-throws on failure', async () => {