Set session cookies, errors appropriately #100
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Use proper
Set-Cookie
response header when returning cookies to HTTP clients.Fix 500 errors on invalid login (was my newbie error in returning non-gRPC errors from session service on invalid login). Now returning gRPC errors as needed.
Don't do anything with gRPC headers. Simply intercept all session service requests and set a cookie based on the token from any successful response, which is going to be either a login (
Create
) or logout (Delete
).4. Security improvement: Don't return token as text in response if client is HTTP: the HTTP client never gets to see the token now, except in the cookie (which, beingHttpOnly
, cannot be accessed by JavaScript).Secure
flag on cookie only when--insecure
isfalse
.