feat(dashboard-auth): cookie helpers for session_at/session_rt/pkce

Phase 3, Task 3.1. Three cookies: - hermes_session_at: OAuth access token (HttpOnly, TTL = token TTL) - hermes_session_rt: OAuth refresh token (HttpOnly, 30d max-age) - hermes_session_pkce: PKCE state + verifier + provider hint (10min) All SameSite=Lax + Path=/. Secure flag is set ONLY when the request scheme is https — uvicorn proxy_headers=True (enabled in gated mode at Phase 3.5) rewrites scheme from X-Forwarded-Proto so Fly's TLS terminator works.
2026-06-07 08:02:23 +00:00 · 2026-05-21 15:14:56 +10:00 · 2026-05-21 15:14:56 +10:00 · 12142c0ca1
commit 12142c0ca1
parent ce276bf210
2 changed files with 278 additions and 0 deletions
--- a/tests/hermes_cli/test_dashboard_auth_cookies.py
+++ b/tests/hermes_cli/test_dashboard_auth_cookies.py
@ -0,0 +1,158 @@
+"""Tests for the dashboard-auth cookie helpers."""
+from __future__ import annotations
+
+import pytest
+from fastapi import FastAPI
+from fastapi.responses import Response
+from fastapi.testclient import TestClient
+from starlette.requests import Request
+
+from hermes_cli.dashboard_auth.cookies import (
+    PKCE_COOKIE,
+    SESSION_AT_COOKIE,
+    SESSION_RT_COOKIE,
+    clear_pkce_cookie,
+    clear_session_cookies,
+    read_pkce_cookie,
+    read_session_cookies,
+    set_pkce_cookie,
+    set_session_cookies,
+)
+
+
+def _build_app(use_https: bool = True):
+    app = FastAPI()
+
+    @app.get("/set")
+    def set_endpoint():
+        r = Response("ok")
+        set_session_cookies(
+            r, access_token="AT", refresh_token="RT",
+            access_token_expires_in=3600, use_https=use_https,
+        )
+        return r
+
+    @app.get("/set-pkce")
+    def set_pkce():
+        r = Response("ok")
+        set_pkce_cookie(r, payload="provider=stub;state=s;verifier=v",
+                        use_https=use_https)
+        return r
+
+    @app.get("/clear")
+    def clear():
+        r = Response("ok")
+        clear_session_cookies(r)
+        clear_pkce_cookie(r)
+        return r
+
+    return app
+
+
+def test_session_cookies_are_httponly_samesite_lax_secure_in_https():
+    client = TestClient(_build_app(use_https=True))
+    r = client.get("/set")
+    cookies = r.headers.get_list("set-cookie")
+    at = next(c for c in cookies if c.startswith(f"{SESSION_AT_COOKIE}="))
+    rt = next(c for c in cookies if c.startswith(f"{SESSION_RT_COOKIE}="))
+    for c in (at, rt):
+        assert "HttpOnly" in c
+        assert "samesite=lax" in c.lower()
+        assert "Secure" in c
+        assert "Path=/" in c
+
+
+def test_session_cookies_omit_secure_when_http():
+    client = TestClient(_build_app(use_https=False))
+    r = client.get("/set")
+    for c in r.headers.get_list("set-cookie"):
+        if c.startswith(f"{SESSION_AT_COOKIE}=") or c.startswith(f"{SESSION_RT_COOKIE}="):
+            assert "Secure" not in c, f"Cookie unexpectedly Secure: {c}"
+
+
+def test_session_cookies_have_30day_rt_and_token_ttl_at():
+    client = TestClient(_build_app(use_https=True))
+    r = client.get("/set")
+    cookies = r.headers.get_list("set-cookie")
+    at = next(c for c in cookies if c.startswith(f"{SESSION_AT_COOKIE}="))
+    rt = next(c for c in cookies if c.startswith(f"{SESSION_RT_COOKIE}="))
+    assert "Max-Age=3600" in at
+    assert "Max-Age=2592000" in rt  # 30 days = 30 * 86400
+
+
+def test_clear_session_cookies_emits_expired_at_and_rt():
+    client = TestClient(_build_app())
+    r = client.get("/clear")
+    cookies = r.headers.get_list("set-cookie")
+    assert any(
+        c.startswith(f"{SESSION_AT_COOKIE}=") and "Max-Age=0" in c
+        for c in cookies
+    )
+    assert any(
+        c.startswith(f"{SESSION_RT_COOKIE}=") and "Max-Age=0" in c
+        for c in cookies
+    )
+
+
+def test_pkce_cookie_short_ttl_and_path_root():
+    client = TestClient(_build_app(use_https=True))
+    r = client.get("/set-pkce")
+    pkce = next(
+        c for c in r.headers.get_list("set-cookie")
+        if c.startswith(f"{PKCE_COOKIE}=")
+    )
+    assert "HttpOnly" in pkce
+    assert "Max-Age=600" in pkce  # 10 minutes
+    assert "Path=/" in pkce
+    assert "Secure" in pkce
+
+
+def test_read_session_cookies_from_request():
+    scope = {
+        "type": "http",
+        "method": "GET",
+        "path": "/",
+        "headers": [(
+            b"cookie",
+            f"{SESSION_AT_COOKIE}=at_value; {SESSION_RT_COOKIE}=rt_value".encode(),
+        )],
+    }
+    req = Request(scope)
+    at, rt = read_session_cookies(req)
+    assert at == "at_value"
+    assert rt == "rt_value"
+
+
+def test_read_session_cookies_missing_returns_none():
+    req = Request({"type": "http", "method": "GET", "path": "/", "headers": []})
+    assert read_session_cookies(req) == (None, None)
+
+
+def test_read_pkce_cookie_round_trip():
+    scope = {
+        "type": "http",
+        "method": "GET",
+        "path": "/",
+        "headers": [(b"cookie", f"{PKCE_COOKIE}=state=s;verifier=v".encode())],
+    }
+    req = Request(scope)
+    assert read_pkce_cookie(req) == "state=s"  # NB: cookie value stops at ';'
+
+
+def test_detect_https_via_scheme():
+    """``detect_https`` reads from request.url.scheme.
+
+    Under uvicorn proxy_headers=True the scheme is rewritten from
+    ``X-Forwarded-Proto``; that's an integration concern, not unit.
+    """
+    from hermes_cli.dashboard_auth.cookies import detect_https
+    http_req = Request({
+        "type": "http", "method": "GET", "path": "/", "scheme": "http",
+        "headers": [], "server": ("x", 80),
+    })
+    https_req = Request({
+        "type": "http", "method": "GET", "path": "/", "scheme": "https",
+        "headers": [], "server": ("x", 443),
+    })
+    assert detect_https(http_req) is False
+    assert detect_https(https_req) is True