From 8e86abf5fa08b3855bc4945ce9d526329da8318f Mon Sep 17 00:00:00 2001
From: Andrew Johnston <asjohnston@alaska.edu>
Date: Tue, 18 Nov 2025 08:36:52 -0900
Subject: [PATCH 1/3] ASFCUMULUS-845: set additional properties of session
 cookie

---
 rain_api_core/auth.py |  4 +++-
 tests/test_auth.py    | 10 +++++++---
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/rain_api_core/auth.py b/rain_api_core/auth.py
index 49b0b9e..844bfa9 100644
--- a/rain_api_core/auth.py
+++ b/rain_api_core/auth.py
@@ -143,4 +143,6 @@ def get_header_to_set_auth_cookie(self, user_profile: Optional[UserProfile], coo
             expire_date = format_7231_date(payload['exp'])
         else:
             expire_date = 'Thu, 01 Jan 1970 00:00:00 GMT'
-        return {'SET-COOKIE': f'{self.cookie_name}={cookie_value}; Expires={expire_date}; Path=/{cookie_domain}'}
+        return {
+            'SET-COOKIE': f'{self.cookie_name}={cookie_value}; Expires={expire_date}; Path=/{cookie_domain}; Secure=True; HttpOnly=True; SameSite=Lax'
+        }
diff --git a/tests/test_auth.py b/tests/test_auth.py
index fada2d2..e50b301 100644
--- a/tests/test_auth.py
+++ b/tests/test_auth.py
@@ -163,17 +163,21 @@ def test_get_header_to_set_auth_cookie(
     )
 
     header = jwt_manager.get_header_to_set_auth_cookie(profile, '')
-    assert header == {'SET-COOKIE': 'auth-cookie=COOKIE_VALUE; Expires=Thu, 01 Jan 1970 00:00:01 GMT; Path=/'}
+    assert header == {
+        'SET-COOKIE': 'auth-cookie=COOKIE_VALUE; Expires=Thu, 01 Jan 1970 00:00:01 GMT; Path=/; Secure=True; HttpOnly=True; SameSite=Lax'
+    }
 
     header = jwt_manager.get_header_to_set_auth_cookie(profile, 'DOMAIN')
     assert header == {
-        'SET-COOKIE': 'auth-cookie=COOKIE_VALUE; Expires=Thu, 01 Jan 1970 00:00:01 GMT; Path=/; Domain=DOMAIN'
+        'SET-COOKIE': 'auth-cookie=COOKIE_VALUE; Expires=Thu, 01 Jan 1970 00:00:01 GMT; Path=/; Domain=DOMAIN; Secure=True; HttpOnly=True; SameSite=Lax'
     }
 
 
 def test_get_header_to_set_auth_cookie_logout(jwt_manager):
     header = jwt_manager.get_header_to_set_auth_cookie(None, 'DOMAIN')
-    assert header == {'SET-COOKIE': 'auth-cookie=expired; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Path=/; Domain=DOMAIN'}
+    assert header == {
+        'SET-COOKIE': 'auth-cookie=expired; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Path=/; Domain=DOMAIN; Secure=True; HttpOnly=True; SameSite=Lax'
+    }
 
 
 @mock.patch(f'{MODULE}.time', autospec=True)

From 2f79f1f075f07ad19ed6f33dcf22fa59bffe7644 Mon Sep 17 00:00:00 2001
From: Andrew Johnston <asjohnston@alaska.edu>
Date: Tue, 18 Nov 2025 08:44:36 -0900
Subject: [PATCH 2/3] reduce line length

---
 rain_api_core/auth.py |  5 ++++-
 tests/test_auth.py    | 15 ++++++++++++---
 2 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/rain_api_core/auth.py b/rain_api_core/auth.py
index 844bfa9..9d609da 100644
--- a/rain_api_core/auth.py
+++ b/rain_api_core/auth.py
@@ -144,5 +144,8 @@ def get_header_to_set_auth_cookie(self, user_profile: Optional[UserProfile], coo
         else:
             expire_date = 'Thu, 01 Jan 1970 00:00:00 GMT'
         return {
-            'SET-COOKIE': f'{self.cookie_name}={cookie_value}; Expires={expire_date}; Path=/{cookie_domain}; Secure=True; HttpOnly=True; SameSite=Lax'
+            'SET-COOKIE': (
+                f'{self.cookie_name}={cookie_value}; Expires={expire_date}; Path=/{cookie_domain}; Secure=True; '
+                'HttpOnly=True; SameSite=Lax'
+            )
         }
diff --git a/tests/test_auth.py b/tests/test_auth.py
index e50b301..530a6b2 100644
--- a/tests/test_auth.py
+++ b/tests/test_auth.py
@@ -164,19 +164,28 @@ def test_get_header_to_set_auth_cookie(
 
     header = jwt_manager.get_header_to_set_auth_cookie(profile, '')
     assert header == {
-        'SET-COOKIE': 'auth-cookie=COOKIE_VALUE; Expires=Thu, 01 Jan 1970 00:00:01 GMT; Path=/; Secure=True; HttpOnly=True; SameSite=Lax'
+        'SET-COOKIE': (
+            'auth-cookie=COOKIE_VALUE; Expires=Thu, 01 Jan 1970 00:00:01 GMT; Path=/; Secure=True; '
+            'HttpOnly=True; SameSite=Lax'
+        )
     }
 
     header = jwt_manager.get_header_to_set_auth_cookie(profile, 'DOMAIN')
     assert header == {
-        'SET-COOKIE': 'auth-cookie=COOKIE_VALUE; Expires=Thu, 01 Jan 1970 00:00:01 GMT; Path=/; Domain=DOMAIN; Secure=True; HttpOnly=True; SameSite=Lax'
+        'SET-COOKIE': (
+            'auth-cookie=COOKIE_VALUE; Expires=Thu, 01 Jan 1970 00:00:01 GMT; Path=/; Domain=DOMAIN; Secure=True; '
+            'HttpOnly=True; SameSite=Lax'
+        )
     }
 
 
 def test_get_header_to_set_auth_cookie_logout(jwt_manager):
     header = jwt_manager.get_header_to_set_auth_cookie(None, 'DOMAIN')
     assert header == {
-        'SET-COOKIE': 'auth-cookie=expired; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Path=/; Domain=DOMAIN; Secure=True; HttpOnly=True; SameSite=Lax'
+        'SET-COOKIE': (
+            'auth-cookie=expired; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Path=/; Domain=DOMAIN; Secure=True; '
+            'HttpOnly=True; SameSite=Lax'
+        )
     }
 
 

From 4c8e4733bacd51ffee72ff0b239e35eae9d04e23 Mon Sep 17 00:00:00 2001
From: Andrew Johnston <asjohnston@alaska.edu>
Date: Tue, 18 Nov 2025 08:56:01 -0900
Subject: [PATCH 3/3] shorten setting httponly and secure boolean properties

---
 rain_api_core/auth.py |  4 ++--
 tests/test_auth.py    | 11 +++++------
 2 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/rain_api_core/auth.py b/rain_api_core/auth.py
index 9d609da..96db5a2 100644
--- a/rain_api_core/auth.py
+++ b/rain_api_core/auth.py
@@ -145,7 +145,7 @@ def get_header_to_set_auth_cookie(self, user_profile: Optional[UserProfile], coo
             expire_date = 'Thu, 01 Jan 1970 00:00:00 GMT'
         return {
             'SET-COOKIE': (
-                f'{self.cookie_name}={cookie_value}; Expires={expire_date}; Path=/{cookie_domain}; Secure=True; '
-                'HttpOnly=True; SameSite=Lax'
+                f'{self.cookie_name}={cookie_value}; Expires={expire_date}; Path=/{cookie_domain}; Secure; '
+                'HttpOnly; SameSite=Lax'
             )
         }
diff --git a/tests/test_auth.py b/tests/test_auth.py
index 530a6b2..1951907 100644
--- a/tests/test_auth.py
+++ b/tests/test_auth.py
@@ -165,16 +165,15 @@ def test_get_header_to_set_auth_cookie(
     header = jwt_manager.get_header_to_set_auth_cookie(profile, '')
     assert header == {
         'SET-COOKIE': (
-            'auth-cookie=COOKIE_VALUE; Expires=Thu, 01 Jan 1970 00:00:01 GMT; Path=/; Secure=True; '
-            'HttpOnly=True; SameSite=Lax'
+            'auth-cookie=COOKIE_VALUE; Expires=Thu, 01 Jan 1970 00:00:01 GMT; Path=/; Secure; HttpOnly; SameSite=Lax'
         )
     }
 
     header = jwt_manager.get_header_to_set_auth_cookie(profile, 'DOMAIN')
     assert header == {
         'SET-COOKIE': (
-            'auth-cookie=COOKIE_VALUE; Expires=Thu, 01 Jan 1970 00:00:01 GMT; Path=/; Domain=DOMAIN; Secure=True; '
-            'HttpOnly=True; SameSite=Lax'
+            'auth-cookie=COOKIE_VALUE; Expires=Thu, 01 Jan 1970 00:00:01 GMT; Path=/; Domain=DOMAIN; Secure; HttpOnly; '
+            'SameSite=Lax'
         )
     }
 
@@ -183,8 +182,8 @@ def test_get_header_to_set_auth_cookie_logout(jwt_manager):
     header = jwt_manager.get_header_to_set_auth_cookie(None, 'DOMAIN')
     assert header == {
         'SET-COOKIE': (
-            'auth-cookie=expired; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Path=/; Domain=DOMAIN; Secure=True; '
-            'HttpOnly=True; SameSite=Lax'
+            'auth-cookie=expired; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Path=/; Domain=DOMAIN; Secure; HttpOnly; '
+            'SameSite=Lax'
         )
     }