fix: set cookies alongside header when SendJWTHeader is enabled (#262)

paskal · umputun · web-flow · commit fe8d6914a145 · 2025-12-22T13:55:24.000-06:00
* fix: set cookies alongside header when SendJWTHeader is enabled When SendJWTHeader is true, now sets both the JWT header AND cookies. This fixes OAuth authentication flows where HTTP headers don't survive browser redirects. Cookies are needed for the OAuth callback to complete successfully, while headers are still set for direct API calls. Fixes umputun/remark42#1877 * test: add XSRF cookie value assertion in SendJWTHeader test verify XSRF-TOKEN cookie value matches claims ID for consistency with TestJWT_SetWithDomain --------- Co-authored-by: Umputun <umputun@gmail.com>
diff --git a/token/jwt.go b/token/jwt.go
@@ -249,7 +249,8 @@ func (j *Service) Set(w http.ResponseWriter, claims Claims) (Claims, error) {
 
 	if j.SendJWTHeader {
 		w.Header().Set(j.JWTHeaderKey, tokenString)
-		return claims, nil
+		// don't return here - fall through to also set cookies
+		// cookies are needed for OAuth redirect flows where headers don't survive redirects
 	}
 
 	cookieExpiration := 0 // session cookie
diff --git a/token/jwt_test.go b/token/jwt_test.go
@@ -263,7 +263,12 @@ func TestJWT_SendJWTHeader(t *testing.T) {
 	assert.NoError(t, err)
 	cookies := rr.Result().Cookies()
 	t.Log(cookies)
-	require.Equal(t, 0, len(cookies), "no cookies set")
+	// cookies are set alongside header to support OAuth redirect flows
+	require.Equal(t, 2, len(cookies), "cookies set alongside header")
+	assert.Equal(t, "JWT", cookies[0].Name)
+	assert.Equal(t, testJwtValid, cookies[0].Value)
+	assert.Equal(t, "XSRF-TOKEN", cookies[1].Name)
+	assert.Equal(t, "random id", cookies[1].Value)
 	assert.Equal(t, testJwtValid, rr.Result().Header.Get("X-JWT"))
 }
 
diff --git a/v2/token/jwt.go b/v2/token/jwt.go
@@ -266,7 +266,8 @@ func (j *Service) Set(w http.ResponseWriter, claims Claims) (Claims, error) {
 
 	if j.SendJWTHeader {
 		w.Header().Set(j.JWTHeaderKey, tokenString)
-		return claims, nil
+		// don't return here - fall through to also set cookies
+		// cookies are needed for OAuth redirect flows where headers don't survive redirects
 	}
 
 	cookieExpiration := 0 // session cookie
diff --git a/v2/token/jwt_test.go b/v2/token/jwt_test.go
@@ -263,7 +263,12 @@ func TestJWT_SendJWTHeader(t *testing.T) {
 	assert.NoError(t, err)
 	cookies := rr.Result().Cookies()
 	t.Log(cookies)
-	require.Equal(t, 0, len(cookies), "no cookies set")
+	// cookies are set alongside header to support OAuth redirect flows
+	require.Equal(t, 2, len(cookies), "cookies set alongside header")
+	assert.Equal(t, "JWT", cookies[0].Name)
+	assert.Equal(t, testJwtValid, cookies[0].Value)
+	assert.Equal(t, "XSRF-TOKEN", cookies[1].Name)
+	assert.Equal(t, "random id", cookies[1].Value)
 	assert.Equal(t, testJwtValid, rr.Result().Header.Get("X-JWT"))
 }
 

Original file line number	Diff line number	Diff line change
`@@ -249,7 +249,8 @@ func (j *Service) Set(w http.ResponseWriter, claims Claims) (Claims, error) {`
`249`	`249`
`250`	`250`	`if j.SendJWTHeader {`
`251`	`251`	`w.Header().Set(j.JWTHeaderKey, tokenString)`
`252`		`- return claims, nil`
	`252`	`+ // don't return here - fall through to also set cookies`
	`253`	`+ // cookies are needed for OAuth redirect flows where headers don't survive redirects`
`253`	`254`	`}`
`254`	`255`
`255`	`256`	`cookieExpiration := 0 // session cookie`
Original file line number	Diff line number	Diff line change
`@@ -266,7 +266,8 @@ func (j *Service) Set(w http.ResponseWriter, claims Claims) (Claims, error) {`
`266`	`266`
`267`	`267`	`if j.SendJWTHeader {`
`268`	`268`	`w.Header().Set(j.JWTHeaderKey, tokenString)`
`269`		`- return claims, nil`
	`269`	`+ // don't return here - fall through to also set cookies`
	`270`	`+ // cookies are needed for OAuth redirect flows where headers don't survive redirects`
`270`	`271`	`}`
`271`	`272`
`272`	`273`	`cookieExpiration := 0 // session cookie`