Remember-me cookie in SessionAuthAdapter missing httpOnly and secure flags

[armanist]

Fixes #447

Summary by CodeRabbit

• Bug Fixes
  • Enhanced the remember-me authentication feature with improved cookie configuration to ensure secure and reliable user session persistence across visits.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR enhances the remember-me cookie security in SessionAuthAdapter by adding an expiration lifetime constant and explicitly setting secure/httpOnly flags, along with three new unit tests validating the cookie behavior across sign-in and sign-out scenarios.

Changes

Cohort / File(s)	Summary
Remember Token Cookie Security src/Auth/Adapters/SessionAuthAdapter.php	Added REMEMBER_TOKEN_LIFETIME constant and updated setRememberToken() to set cookies with explicit parameters: 30-day lifetime, secure flag enabled, and httpOnly flag enabled to prevent XSS token theft.
Remember-Me Authentication Tests tests/Unit/Auth/Adapters/SessionAuthAdapterTest.php	Added three new test methods: one verifying the remember token cookie is set on sign-in with remember flag, one confirming no cookie is set without the flag, and one validating cookie removal on sign-out.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A cookie so secure, with flags held tight,
HttpOnly guards it from XSS's bite,
Thirty days of remembrance, safe from the night,
With tests standing guard, the auth path is right! 🍪✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main change: adding httpOnly and secure flags to the remember-me cookie in SessionAuthAdapter.
Linked Issues check	✅ Passed	The PR addresses all critical requirements from issue #447: sets httponly=true and secure=true flags, implements 30-day expiration via REMEMBER_TOKEN_LIFETIME constant, verifies removeRememberToken() cleanup, and adds comprehensive tests asserting cookie presence/absence and removal behavior.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to issue #447: updating cookie flags in setRememberToken(), adding the REMEMBER_TOKEN_LIFETIME constant, and adding targeted tests for the remember-me flow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 82.65%. Comparing base (f186a9a) to head (24e3348).
⚠️ Report is 2 commits behind head on master.

Additional details and impacted files

@@             Coverage Diff              @@
##             master     #450      +/-   ##
============================================
+ Coverage     82.58%   82.65%   +0.06%     
  Complexity     2831     2831              
============================================
  Files           243      243              
  Lines          7545     7552       +7     
============================================
+ Hits           6231     6242      +11     
+ Misses         1314     1310       -4     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

🧹 Nitpick comments (1)

tests/Unit/Auth/Adapters/SessionAuthAdapterTest.php (1)

66-74: Tests verify cookie presence but not the security flags.

The test correctly verifies that the remember_token cookie is set and has a non-empty value. However, per the PR objectives, tests should also assert that the cookie is created with secure=true, httponly=true, and proper expiration.

The current Cookie class stores only the value in self::$storage, making flag verification difficult without mocking. Consider one of these approaches:

1. Mock the cookie() helper to capture and verify all parameters passed to set()
2. Add a spy/wrapper that records the flags for test inspection

Example approach using a mock

public function testWebSigninWithRememberSetsCookieWithSecureFlags(): void
{
    // This would require refactoring to inject a mock Cookie or use a test double
    // that can capture the parameters passed to set()
    
    $cookieMock = $this->createMock(Cookie::class);
    $cookieMock->expects($this->once())
        ->method('set')
        ->with(
            'remember_token',
            $this->anything(),
            2592000,  // REMEMBER_TOKEN_LIFETIME
            '/',
            '',
            true,     // secure
            true      // httponly
        );
    
    // Inject mock and call signin...
}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/Unit/Auth/Adapters/SessionAuthAdapterTest.php` around lines 66 - 74,
The test testWebSigninWithRememberSetsCookie currently only checks
presence/value; update it to also assert secure, httponly and expiration by
either (A) mocking the Cookie helper used by SessionAuth::signin (mock the
Cookie class or cookie() helper and expect cookie->set('remember_token', ...,
REMEMBER_TOKEN_LIFETIME, '/', '', true, true)) and inject that mock into the
code path used by SessionAuth, or (B) add a minimal test-only spy/wrapper around
the Cookie class that records set() parameters into a public inspectable
property and use that spy in the test to assert secure === true, httponly ===
true and that the expiration equals the REMEMBER_TOKEN_LIFETIME constant; locate
the code around SessionAuth::signin, the Cookie class, and the test method
testWebSigninWithRememberSetsCookie to implement the chosen approach.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@tests/Unit/Auth/Adapters/SessionAuthAdapterTest.php`:
- Around line 66-74: The test testWebSigninWithRememberSetsCookie currently only
checks presence/value; update it to also assert secure, httponly and expiration
by either (A) mocking the Cookie helper used by SessionAuth::signin (mock the
Cookie class or cookie() helper and expect cookie->set('remember_token', ...,
REMEMBER_TOKEN_LIFETIME, '/', '', true, true)) and inject that mock into the
code path used by SessionAuth, or (B) add a minimal test-only spy/wrapper around
the Cookie class that records set() parameters into a public inspectable
property and use that spy in the test to assert secure === true, httponly ===
true and that the expiration equals the REMEMBER_TOKEN_LIFETIME constant; locate
the code around SessionAuth::signin, the Cookie class, and the test method
testWebSigninWithRememberSetsCookie to implement the chosen approach.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5e967e9a-8f8f-4f5b-9200-aa69c6bd6a03

📥 Commits

Reviewing files that changed from the base of the PR and between f186a9a and 24e3348.

📒 Files selected for processing (2)

• src/Auth/Adapters/SessionAuthAdapter.php
• tests/Unit/Auth/Adapters/SessionAuthAdapterTest.php