feat(auth): add secure flag to JSESSIONID cookie and test JSESSIONID cookie setting

- Add secure: true to cookies.set() in login and signup actions - Add tests verifying JSESSIONID is forwarded to browser on successful login and signup Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-02 18:50:34 +02:00
parent 16f0feb8d5
commit 61249af086
4 changed files with 36 additions and 2 deletions
--- a/frontend/src/routes/(public)/login/page.server.test.ts
+++ b/frontend/src/routes/(public)/login/page.server.test.ts
@@ -119,6 +119,23 @@ describe('login form action', () => {
 		}
 	});

+	it('sets JSESSIONID cookie on successful login', async () => {
+		mockPost.mockResolvedValue({
+			data: { data: { id: '123' } },
+			error: undefined,
+			response: { headers: { get: vi.fn().mockReturnValue('JSESSIONID=abc123; Path=/; HttpOnly') } }
+		});
+
+		const event = createEvent({ email: 'sarah@example.com', password: 'password123' });
+		try {
+			await actions.default(event);
+		} catch {
+			// redirect throws
+		}
+
+		expect(event.cookies.set).toHaveBeenCalledWith('JSESSIONID', 'abc123', expect.objectContaining({ path: '/', secure: true }));
+	});
+
 	it('rejects empty email with validation error', async () => {
 		const result = await actions.default(createEvent({
 			email: '',