pegasus/backend/internal/session.go

// backend/internal/session.go
package internal

import (
	"net/http"
	"os"
	"time"

	"github.com/golang-jwt/jwt/v5"
)

// Claims are the signed session fields Pegasus stores in the browser cookie.
type Claims struct {
	Username string `json:"u"`
	JFToken  string `json:"t"`
	jwt.RegisteredClaims
}

var sessionKey = []byte(os.Getenv("PEGASUS_SESSION_KEY"))
var cookieSecure = os.Getenv("PEGASUS_COOKIE_INSECURE") != "1"
var signJWT = func(tok *jwt.Token) (string, error) {
	return tok.SignedString(sessionKey)
}

// CookieName is the session cookie name used by Pegasus.
const CookieName = "pegasus_session"

// SetSession signs and writes a Pegasus session cookie.
func SetSession(w http.ResponseWriter, username, jfToken string) error {
	now := time.Now()
	tok := jwt.NewWithClaims(jwt.SigningMethodHS256, Claims{
		Username: username,
		JFToken:  jfToken,
		RegisteredClaims: jwt.RegisteredClaims{
			ExpiresAt: jwt.NewNumericDate(now.Add(7 * 24 * time.Hour)),
			IssuedAt:  jwt.NewNumericDate(now),
		},
	})
	signed, err := signJWT(tok)
	if err != nil {
		return err
	}
	http.SetCookie(w, &http.Cookie{
		Name:     CookieName,
		Value:    signed,
		Path:     "/",
		HttpOnly: true,
		Secure:   cookieSecure,
		SameSite: http.SameSiteLaxMode,
	})
	return nil
}

// ClearSession expires the Pegasus session cookie immediately.
func ClearSession(w http.ResponseWriter) {
	http.SetCookie(w, &http.Cookie{
		Name:     CookieName,
		Value:    "",
		Expires:  time.Unix(0, 0),
		MaxAge:   -1,
		Path:     "/",
		HttpOnly: true,
		Secure:   cookieSecure,
		SameSite: http.SameSiteLaxMode,
	})
}
many fixes, hopefully uploading 2025-09-16 00:05:16 -05:00			`// backend/internal/session.go`
first pass on pegasus 2025-09-08 00:48:47 -05:00			`package internal`

			`import (`
			`"net/http"`
			`"os"`
			`"time"`

			`"github.com/golang-jwt/jwt/v5"`
			`)`

pegasus: tighten quality gate 2026-04-11 00:02:59 -03:00			`// Claims are the signed session fields Pegasus stores in the browser cookie.`
first pass on pegasus 2025-09-08 00:48:47 -05:00			`type Claims struct {`
pegasus: add full test suite and prometheus CI publishing 2026-04-10 03:25:23 -03:00			Username string `json:"u"`
			JFToken string `json:"t"`
first pass on pegasus 2025-09-08 00:48:47 -05:00			`jwt.RegisteredClaims`
			`}`

			`var sessionKey = []byte(os.Getenv("PEGASUS_SESSION_KEY"))`
pegasus fix 2025-09-15 12:09:02 -05:00			`var cookieSecure = os.Getenv("PEGASUS_COOKIE_INSECURE") != "1"`
pegasus: tighten quality gate 2026-04-11 00:02:59 -03:00			`var signJWT = func(tok *jwt.Token) (string, error) {`
			`return tok.SignedString(sessionKey)`
			`}`
first pass on pegasus 2025-09-08 00:48:47 -05:00
pegasus: tighten quality gate 2026-04-11 00:02:59 -03:00			`// CookieName is the session cookie name used by Pegasus.`
first pass on pegasus 2025-09-08 00:48:47 -05:00			`const CookieName = "pegasus_session"`

pegasus: tighten quality gate 2026-04-11 00:02:59 -03:00			`// SetSession signs and writes a Pegasus session cookie.`
first pass on pegasus 2025-09-08 00:48:47 -05:00			`func SetSession(w http.ResponseWriter, username, jfToken string) error {`
			`now := time.Now()`
			`tok := jwt.NewWithClaims(jwt.SigningMethodHS256, Claims{`
			`Username: username,`
			`JFToken: jfToken,`
			`RegisteredClaims: jwt.RegisteredClaims{`
			`ExpiresAt: jwt.NewNumericDate(now.Add(7 * 24 * time.Hour)),`
			`IssuedAt: jwt.NewNumericDate(now),`
			`},`
			`})`
pegasus: tighten quality gate 2026-04-11 00:02:59 -03:00			`signed, err := signJWT(tok)`
pegasus: add full test suite and prometheus CI publishing 2026-04-10 03:25:23 -03:00			`if err != nil {`
			`return err`
			`}`
			`http.SetCookie(w, &http.Cookie{`
			`Name: CookieName,`
			`Value: signed,`
			`Path: "/",`
			`HttpOnly: true,`
			`Secure: cookieSecure,`
			`SameSite: http.SameSiteLaxMode,`
			`})`
first pass on pegasus 2025-09-08 00:48:47 -05:00			`return nil`
			`}`

pegasus: tighten quality gate 2026-04-11 00:02:59 -03:00			`// ClearSession expires the Pegasus session cookie immediately.`
first pass on pegasus 2025-09-08 00:48:47 -05:00			`func ClearSession(w http.ResponseWriter) {`
many fixes, hopefully uploading 2025-09-16 00:05:16 -05:00			`http.SetCookie(w, &http.Cookie{`
pegasus: add full test suite and prometheus CI publishing 2026-04-10 03:25:23 -03:00			`Name: CookieName,`
			`Value: "",`
			`Expires: time.Unix(0, 0),`
			`MaxAge: -1,`
			`Path: "/",`
			`HttpOnly: true,`
			`Secure: cookieSecure,`
			`SameSite: http.SameSiteLaxMode,`
many fixes, hopefully uploading 2025-09-16 00:05:16 -05:00			`})`
first pass on pegasus 2025-09-08 00:48:47 -05:00			`}`