-

2025-08-23 23:15:30 -04:00
parent e5bccc85c2
commit 02323a8b5c
7 changed files with 305 additions and 77 deletions
--- a/internal/handlers/auth.go
+++ b/internal/handlers/auth.go
@ -81,25 +81,53 @@ func (h *AuthHandler) Login(c *gin.Context) {
 		return
 	}

-	// For redirect flows, use secure cookie-based token delivery
-	// Set secure cookie with the token
-	c.SetSameSite(http.SameSiteStrictMode)
-	c.SetCookie(
-		"auth_token",           // name
-		token,                  // value
-		604800,                 // maxAge (7 days)
-		"/",                    // path
-		"",                     // domain (empty for current domain)
-		true,                   // secure (HTTPS only)
-		true,                   // httpOnly (no JavaScript access)
-	)
+	// For redirect flows, choose token delivery method
+	// Default to cookie delivery for security
+	tokenDelivery := req.TokenDelivery
+	if tokenDelivery == "" {
+		tokenDelivery = domain.TokenDeliveryCookie
+	}
+
+	h.logger.Debug("Token delivery mode", zap.String("mode", string(tokenDelivery)))

 	// Generate a secure state parameter for CSRF protection
 	state := h.generateSecureState(userContext.UserID, req.AppID)
-	
-	// Redirect without token in URL
+	var redirectURL string
+
+	switch tokenDelivery {
+	case domain.TokenDeliveryQuery:
+		// Deliver token via query parameter (for integrations like VS Code)
+		redirectURL = req.RedirectURI + "?token=" + token + "&state=" + state
+		
+	case domain.TokenDeliveryCookie:
+		// Deliver token via secure cookie (default, more secure)
+		c.SetSameSite(http.SameSiteStrictMode)
+		
+		// In development mode, make cookie accessible to JavaScript for testing
+		// In production, keep HTTP-only for security
+		httpOnly := !h.config.IsDevelopment()
+		secure := !h.config.IsDevelopment() // Only require HTTPS in production
+		
+		c.SetCookie(
+			"auth_token",           // name
+			token,                  // value
+			604800,                 // maxAge (7 days)
+			"/",                    // path
+			"",                     // domain (empty for current domain)
+			secure,                 // secure (HTTPS only in production)
+			httpOnly,               // httpOnly (no JavaScript access in production)
+		)
+		
+		// Redirect without token in URL for security
+		redirectURL = req.RedirectURI + "?state=" + state
+		
+	default:
+		// Invalid delivery mode, default to cookie
+		redirectURL = req.RedirectURI + "?state=" + state
+	}
+
 	response := domain.LoginResponse{
-		RedirectURL: req.RedirectURI + "?state=" + state,
+		RedirectURL: redirectURL,
 	}

 	c.JSON(http.StatusOK, response)