fix: secure session cookies and validate WebSocket origin

[cfsmp3]

Summary

Security fixes for two high-severity vulnerabilities identified in the security audit.

1. Secure Session Cookies

Problem: Session cookies were created without security flags, making them vulnerable to:

• XSS attacks (JavaScript could read session cookies)
• CSRF attacks (cookies sent on cross-site requests)
• Man-in-the-middle attacks (cookies sent over HTTP)

Fix: Added secure cookie options in backend/main.go:

• HttpOnly: true - Prevents JavaScript access
• Secure: true (in production) - Cookies only sent over HTTPS
• SameSite: Lax - CSRF protection while allowing OAuth redirects
• MaxAge: 7 days - Reasonable session lifetime

2. WebSocket Origin Validation

Problem: WebSocket upgrader accepted connections from ANY origin:

CheckOrigin: func(r *http.Request) bool {
    return true
}

This allowed any website to establish WebSocket connections, enabling cross-site WebSocket hijacking.

Fix: Added checkWebSocketOrigin() function that:

• Validates Origin header against ALLOWED_ORIGIN environment variable
• Allows localhost origins in development mode (ENV != "production")
• Falls back to same-origin check if no env var configured
• Logs rejected connection attempts for monitoring

3. Updated Production Configuration

• Added ENV variable documentation (set to "production" for secure mode)
• Added ALLOWED_ORIGIN variable for WebSocket validation
• Improved documentation of all environment variables

Files Changed

• backend/main.go - Added secure session cookie options
• backend/controllers/websocket.go - Added origin validation
• production/example.backend.env - Added security configuration

Deployment Notes

After merging, update the VPS backend .env to include:

ENV="production"
ALLOWED_ORIGIN="https://taskwarrior-server.ccextractor.org"

Then rebuild and restart the backend container.

Test Plan

• Verify session cookies have HttpOnly, Secure, SameSite flags (browser dev tools)
• Verify WebSocket connects from allowed origin
• Verify WebSocket rejects connections from other origins
• Verify OAuth login still works (SameSite=Lax allows redirects)

🤖 Generated with Claude Code

[github-actions]

Thank you for opening this PR!

Before a maintainer takes a look, it would be really helpful if you could walk through your changes using GitHub's review tools.

Please take a moment to:

• Check the "Files changed" tab
• Leave comments on any lines for functions, comments, etc. that are important, non-obvious, or may need attention
• Clarify decisions you made or areas you might be unsure about and/or any future updates being considered.
• Finally, submit all the comments!

More information on how to conduct a self review:
https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-proposed-changes-in-a-pull-request

This helps make the review process smoother and gives us a clearer understanding of your thought process.

Once you've added your self-review, we'll continue from our side. Thank you!

[its-me-abhishek]

this might be easy to break.

xyz.abc.org
and
xyz.org would both have xyz as host

[cfsmp3]

Addressed both review comments in commit f284ff9:

1. Clubbed empty origin check with development mode - Now the origin == "" check is inside the development mode block as suggested.

2. Fixed the strings.Contains security issue - Replaced with proper URL parsing using net/url. Now does exact hostname comparison:

   • Parses the origin URL with url.Parse()
   • Extracts hostname with parsedOrigin.Hostname()
   • Compares exactly with request host (after stripping port)

Also added: In production mode, missing Origin header is now rejected (logged as warning).

Tested on VPS - login works, bad origins are rejected with 400.