auth: Remove redirects to session package (#64260)

These functions are not required to be called outside of frontend, so there's no need to reexport them. Instead, we consolidate the signout cookie logic in the session package.

Test plan: Just moved some code around, go compiler doesn't complain.

Author: eseliger

cmd/frontend/auth/BUILD.bazel

@@ -8,7 +8,6 @@ go_library(
         "non_public.go",
         "redirect.go",
         "reset_password.go",
-        "sign_out_cookie.go",
         "user.go",
     ],
     importpath = "github.com/sourcegraph/sourcegraph/cmd/frontend/auth",
@@ -17,7 +16,6 @@ go_library(
         "//cmd/frontend/backend",
         "//cmd/frontend/internal/app/router",
         "//cmd/frontend/internal/app/ui/router",
-        "//cmd/frontend/internal/auth/session",
         "//cmd/frontend/internal/auth/userpasswd",
         "//internal/actor",
         "//internal/auth",

cmd/frontend/auth/sign_out_cookie.go

@@ -20,7 +20,6 @@ go_library(
     importpath = "github.com/sourcegraph/sourcegraph/cmd/frontend/internal/app",
     visibility = ["//cmd/frontend:__subpackages__"],
     deps = [
-        "//cmd/frontend/auth",
         "//cmd/frontend/backend",
         "//cmd/frontend/internal/app/assetsutil",
         "//cmd/frontend/internal/app/debugproxies",

cmd/frontend/internal/app/BUILD.bazel

@@ -7,7 +7,6 @@ import (
 
 	"github.com/sourcegraph/log"
 
-	"github.com/sourcegraph/sourcegraph/cmd/frontend/auth"
 	"github.com/sourcegraph/sourcegraph/cmd/frontend/internal/auth/openidconnect"
 	"github.com/sourcegraph/sourcegraph/cmd/frontend/internal/auth/saml"
 	"github.com/sourcegraph/sourcegraph/cmd/frontend/internal/auth/session"
@@ -49,7 +48,7 @@ func serveSignOutHandler(logger log.Logger, db database.DB) http.HandlerFunc {
 			logger.Error("serveSignOutHandler", log.Error(err))
 		}
 
-		auth.SetSignOutCookie(w)
+		session.SetSignOutCookie(w)
 
 		ssoSignOutHandler(w, r)
 

cmd/frontend/internal/app/sign_out.go

@@ -16,7 +16,6 @@ import (
 
 	"github.com/sourcegraph/log/logtest"
 
-	"github.com/sourcegraph/sourcegraph/cmd/frontend/auth"
 	"github.com/sourcegraph/sourcegraph/cmd/frontend/internal/auth/oauth"
 	"github.com/sourcegraph/sourcegraph/cmd/frontend/internal/auth/providers"
 	"github.com/sourcegraph/sourcegraph/cmd/frontend/internal/auth/session"
@@ -64,7 +63,7 @@ func TestMiddleware(t *testing.T) {
 	}
 
 	t.Run("unauthenticated homepage visit, sign-out cookie present, access requests enabled -> sg sign-in", func(t *testing.T) {
-		cookie := &http.Cookie{Name: auth.SignOutCookie, Value: "true"}
+		cookie := &http.Cookie{Name: session.SignOutCookie, Value: "true"}
 		resp := doRequest("GET", "http://example.com/", "", "", []*http.Cookie{cookie}, false)
 		if want := http.StatusOK; resp.StatusCode != want {
 			t.Errorf("got response code %v, want %v", resp.StatusCode, want)

cmd/frontend/internal/auth/bitbucketcloudoauth/middleware_test.go

@@ -14,7 +14,6 @@ import (
 
 	"github.com/sourcegraph/log/logtest"
 
-	"github.com/sourcegraph/sourcegraph/cmd/frontend/auth"
 	"github.com/sourcegraph/sourcegraph/cmd/frontend/internal/auth/oauth"
 	"github.com/sourcegraph/sourcegraph/cmd/frontend/internal/auth/providers"
 	"github.com/sourcegraph/sourcegraph/cmd/frontend/internal/auth/session"
@@ -65,7 +64,7 @@ func TestMiddleware(t *testing.T) {
 	}
 
 	t.Run("unauthenticated homepage visit, sign-out cookie present, access requests enabled -> sg sign-in", func(t *testing.T) {
-		cookie := &http.Cookie{Name: auth.SignOutCookie, Value: "true"}
+		cookie := &http.Cookie{Name: session.SignOutCookie, Value: "true"}
 		resp := doRequest("GET", "http://example.com/", "", "", []*http.Cookie{cookie}, false)
 		if want := http.StatusOK; resp.StatusCode != want {
 			t.Errorf("got response code %v, want %v", resp.StatusCode, want)
@@ -82,7 +81,7 @@ func TestMiddleware(t *testing.T) {
 		})
 		t.Cleanup(func() { conf.Mock(nil) })
 
-		cookie := &http.Cookie{Name: auth.SignOutCookie, Value: "true"}
+		cookie := &http.Cookie{Name: session.SignOutCookie, Value: "true"}
 
 		resp := doRequest("GET", "http://example.com/", "", "", []*http.Cookie{cookie}, false)
 		if want := http.StatusOK; resp.StatusCode != want {

cmd/frontend/internal/auth/githuboauth/middleware_test.go

@@ -14,7 +14,6 @@ import (
 
 	"github.com/sourcegraph/log/logtest"
 
-	"github.com/sourcegraph/sourcegraph/cmd/frontend/auth"
 	"github.com/sourcegraph/sourcegraph/cmd/frontend/internal/auth/oauth"
 	"github.com/sourcegraph/sourcegraph/cmd/frontend/internal/auth/providers"
 	"github.com/sourcegraph/sourcegraph/cmd/frontend/internal/auth/session"
@@ -94,7 +93,7 @@ func TestMiddleware(t *testing.T) {
 		}
 	})
 	t.Run("unauthenticated homepage visit, sign-out cookie present, access requests enabled -> sg sign-in", func(t *testing.T) {
-		cookie := &http.Cookie{Name: auth.SignOutCookie, Value: "true"}
+		cookie := &http.Cookie{Name: session.SignOutCookie, Value: "true"}
 
 		resp := doRequest("GET", "http://example.com/", "", "", []*http.Cookie{cookie}, false)
 		if want := http.StatusOK; resp.StatusCode != want {

cmd/frontend/internal/auth/gitlaboauth/middleware_test.go

@@ -18,6 +18,7 @@ import (
 
 	"github.com/sourcegraph/sourcegraph/cmd/frontend/auth"
 	"github.com/sourcegraph/sourcegraph/cmd/frontend/internal/auth/providers"
+	"github.com/sourcegraph/sourcegraph/cmd/frontend/internal/auth/session"
 	"github.com/sourcegraph/sourcegraph/internal/actor"
 	"github.com/sourcegraph/sourcegraph/internal/conf"
 	"github.com/sourcegraph/sourcegraph/internal/database"
@@ -63,7 +64,7 @@ func NewMiddleware(db database.DB, serviceType, authPrefix string, isAPIHandler
 		// Note: For instances that are conf.AuthPublic(), we don't redirect to sign-in automatically, as that would
 		// lock out unauthenticated access.
 		pc := getExactlyOneOAuthProvider(!r.URL.Query().Has("sourcegraph-operator"))
-		if !conf.AuthPublic() && pc != nil && !isAPIHandler && pc.AuthPrefix == authPrefix && !auth.HasSignOutCookie(r) && isHuman(r) && !conf.IsAccessRequestEnabled() {
+		if !conf.AuthPublic() && pc != nil && !isAPIHandler && pc.AuthPrefix == authPrefix && !session.HasSignOutCookie(r) && isHuman(r) && !conf.IsAccessRequestEnabled() {
 			span.AddEvent("redirect to signin")
 			v := make(url.Values)
 			v.Set("redirect", auth.SafeRedirectURL(r.URL.String()))

cmd/frontend/internal/auth/oauth/middleware.go

@@ -131,7 +131,7 @@ func handleOpenIDConnectAuth(logger log.Logger, db database.DB, w http.ResponseW
 	// lock out unauthenticated access.
 	ps := providers.SignInProviders(!r.URL.Query().Has("sourcegraph-operator"))
 	openIDConnectEnabled := len(ps) == 1 && ps[0].Config().Openidconnect != nil
-	if !conf.AuthPublic() && openIDConnectEnabled && !auth.HasSignOutCookie(r) && !isAPIRequest {
+	if !conf.AuthPublic() && openIDConnectEnabled && !session.HasSignOutCookie(r) && !isAPIRequest {
 		p, oidcClient, safeErrMsg, err := GetProviderAndClient(r.Context(), ps[0].ConfigID().ID, GetProvider)
 		if err != nil {
 			log15.Error("Failed to get provider", "error", err)

cmd/frontend/internal/auth/openidconnect/middleware.go

@@ -208,7 +208,7 @@ func TestMiddleware(t *testing.T) {
 	}
 
 	t.Run("unauthenticated homepage visit, sign-out cookie present -> sg sign-in", func(t *testing.T) {
-		cookie := &http.Cookie{Name: auth.SignOutCookie, Value: "true"}
+		cookie := &http.Cookie{Name: session.SignOutCookie, Value: "true"}
 
 		resp := doRequest("GET", "http://example.com/", "", "", []*http.Cookie{cookie}, false)
 		if want := http.StatusOK; resp.StatusCode != want {

cmd/frontend/internal/auth/openidconnect/middleware_test.go

@@ -65,7 +65,7 @@ func authHandler(db database.DB, w http.ResponseWriter, r *http.Request, next ht
 	// Note: For instances that are conf.AuthPublic(), we don't redirect to sign-in automatically, as that would
 	// lock out unauthenticated access.
 	ps := providers.SignInProviders(!r.URL.Query().Has("sourcegraph-operator"))
-	if !conf.AuthPublic() && len(ps) == 1 && ps[0].Config().Saml != nil && !auth.HasSignOutCookie(r) && !isAPIRequest {
+	if !conf.AuthPublic() && len(ps) == 1 && ps[0].Config().Saml != nil && !session.HasSignOutCookie(r) && !isAPIRequest {
 		p, handled := handleGetProvider(r.Context(), w, ps[0].ConfigID().ID)
 		if handled {
 			return

cmd/frontend/internal/auth/saml/middleware.go

@@ -294,7 +294,7 @@ func TestMiddleware(t *testing.T) {
 		}
 	})
 	t.Run("unauthenticated homepage visit, sign-out cookie present -> sg login", func(t *testing.T) {
-		cookie := &http.Cookie{Name: auth.SignOutCookie, Value: "true"}
+		cookie := &http.Cookie{Name: session.SignOutCookie, Value: "true"}
 
 		resp := doRequest("GET", "http://example.com/", "", []*http.Cookie{cookie}, false, nil)
 		if want := http.StatusOK; resp.StatusCode != want {

cmd/frontend/internal/auth/saml/middleware_test.go

@@ -217,15 +217,15 @@ func SetActor(w http.ResponseWriter, r *http.Request, actor *actor.Actor, expiry
 				expiryPeriod = defaultExpiryPeriod
 			}
 		}
-		RemoveSignOutCookieIfSet(r, w)
+		removeSignOutCookieIfSet(r, w)
 
 		value = &sessionInfo{Actor: actor, ExpiryPeriod: expiryPeriod, LastActive: time.Now(), UserCreatedAt: userCreatedAt}
 	}
 	return SetData(w, r, "actor", value)
 }
 
-// RemoveSignOutCookieIfSet removes the sign-out cookie if it is set.
-func RemoveSignOutCookieIfSet(r *http.Request, w http.ResponseWriter) {
+// removeSignOutCookieIfSet removes the sign-out cookie if it is set.
+func removeSignOutCookieIfSet(r *http.Request, w http.ResponseWriter) {
 	if HasSignOutCookie(r) {
 		http.SetCookie(w, &http.Cookie{Name: SignOutCookie, Value: "", MaxAge: -1})
 	}
@@ -240,6 +240,16 @@ func HasSignOutCookie(r *http.Request) bool {
 	return ck != nil
 }
 
+// SetSignOutCookie sets a sign-out cookie on the given response.
+func SetSignOutCookie(w http.ResponseWriter) {
+	http.SetCookie(w, &http.Cookie{
+		Name:   SignOutCookie,
+		Value:  "true",
+		Secure: true,
+		Path:   "/",
+	})
+}
+
 // hasSessionCookie returns true if the given request has a session cookie.
 func hasSessionCookie(r *http.Request) bool {
 	c, _ := r.Cookie(cookieName)