adjust cookie security settings

wojcik91 · wojcik91 · commit 5ed0b3e9ae74 · 2026-04-23T07:56:33.000+02:00
diff --git a/src/handlers/enrollment.rs b/src/handlers/enrollment.rs
@@ -1,5 +1,8 @@
 use axum::{Json, Router, extract::State, routing::post};
-use axum_extra::extract::{PrivateCookieJar, cookie::Cookie};
+use axum_extra::extract::{
+    PrivateCookieJar,
+    cookie::{Cookie, SameSite},
+};
 use time::OffsetDateTime;
 
 use super::register_mfa::router as register_mfa_router;
@@ -56,7 +59,14 @@ async fn start_enrollment_process(
         );
         // set session cookie
         let cookie = Cookie::build((ENROLLMENT_COOKIE_NAME, token))
-            .expires(OffsetDateTime::from_unix_timestamp(response.deadline_timestamp).unwrap());
+            .expires(
+                OffsetDateTime::from_unix_timestamp(response.deadline_timestamp).map_err(|_| {
+                    ApiError::Unexpected("Invalid enrollment deadline timestamp".into())
+                })?,
+            )
+            .http_only(true)
+            .same_site(SameSite::Strict)
+            .path("/api/v1/enrollment");
 
         Ok((private_cookies.add(cookie), Json(response)))
     } else {
diff --git a/src/handlers/password_reset.rs b/src/handlers/password_reset.rs
@@ -1,5 +1,8 @@
 use axum::{Json, Router, extract::State, routing::post};
-use axum_extra::extract::{PrivateCookieJar, cookie::Cookie};
+use axum_extra::extract::{
+    PrivateCookieJar,
+    cookie::{Cookie, SameSite},
+};
 use time::OffsetDateTime;
 
 use crate::{
@@ -65,7 +68,14 @@ async fn start_password_reset(
     if let core_response::Payload::PasswordResetStart(response) = payload {
         // set session cookie
         let cookie = Cookie::build((PASSWORD_RESET_COOKIE_NAME, token))
-            .expires(OffsetDateTime::from_unix_timestamp(response.deadline_timestamp).unwrap());
+            .expires(
+                OffsetDateTime::from_unix_timestamp(response.deadline_timestamp).map_err(|_| {
+                    ApiError::Unexpected("Invalid password reset deadline timestamp".into())
+                })?,
+            )
+            .http_only(true)
+            .same_site(SameSite::Strict)
+            .path("/api/v1/password-reset");
 
         info!("Started password reset process");
         Ok((private_cookies.add(cookie), Json(response)))
