From ef754274030ccfc66a2dc97debf3b19d065acfe2 Mon Sep 17 00:00:00 2001
From: hashicc <191911133+hashicc@users.noreply.github.com>
Date: Thu, 15 Jan 2026 09:38:25 -0500
Subject: [PATCH] Add path attribute to split cookies (#6298)

* Add "Path" attribute to "/"

Without this the browser defaults to a path of the parent of the
path in the request. See:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#pathpath-value

This means the cookie isn't included in api requests since the path
is too restrictive

* Update tests with split cookie path attribute
---
 internal/daemon/controller/handler_test.go                    | 2 ++
 .../daemon/controller/handlers/outgoing_response_filter.go    | 2 ++
 .../controller/handlers/outgoing_response_filter_test.go      | 4 ++--
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/internal/daemon/controller/handler_test.go b/internal/daemon/controller/handler_test.go
index d2eb47e793..08258b2456 100644
--- a/internal/daemon/controller/handler_test.go
+++ b/internal/daemon/controller/handler_test.go
@@ -92,6 +92,8 @@ func TestAuthenticationHandler(t *testing.T) {
 	assert.NotEmpty(t, cookies[handlers.JsVisibleCookieName].Value)
 	assert.True(t, cookies[handlers.HttpOnlyCookieName].HttpOnly)
 	assert.False(t, cookies[handlers.JsVisibleCookieName].HttpOnly)
+	assert.Equal(t, cookies[handlers.HttpOnlyCookieName].Path, "/")
+	assert.Equal(t, cookies[handlers.JsVisibleCookieName].Path, "/")
 	tok = cookies[handlers.JsVisibleCookieName].Value
 
 	pubId = attrs["id"].(string)
diff --git a/internal/daemon/controller/handlers/outgoing_response_filter.go b/internal/daemon/controller/handlers/outgoing_response_filter.go
index ab0c8211c6..4dd497c6d2 100644
--- a/internal/daemon/controller/handlers/outgoing_response_filter.go
+++ b/internal/daemon/controller/handlers/outgoing_response_filter.go
@@ -114,11 +114,13 @@ func OutgoingResponseFilter(ctx context.Context, w http.ResponseWriter, m proto.
 				jsTok := http.Cookie{
 					Name:  JsVisibleCookieName,
 					Value: tok[:half],
+					Path:  "/",
 				}
 				httpTok := http.Cookie{
 					Name:     HttpOnlyCookieName,
 					Value:    tok[half:],
 					HttpOnly: true,
+					Path:     "/",
 				}
 				http.SetCookie(w, &jsTok)
 				http.SetCookie(w, &httpTok)
diff --git a/internal/daemon/controller/handlers/outgoing_response_filter_test.go b/internal/daemon/controller/handlers/outgoing_response_filter_test.go
index 158cdc5542..c83203d901 100644
--- a/internal/daemon/controller/handlers/outgoing_response_filter_test.go
+++ b/internal/daemon/controller/handlers/outgoing_response_filter_test.go
@@ -26,8 +26,8 @@ func TestOutgoingSplitCookie(t *testing.T) {
 	require.NoError(t, err)
 	require.NoError(t, OutgoingResponseFilter(context.Background(), rec, &pbs.AuthenticateResponse{Attrs: &pbs.AuthenticateResponse_Attributes{Attributes: attrs}, Type: "cookie"}))
 	assert.ElementsMatch(t, rec.Result().Cookies(), []*http.Cookie{
-		{Name: HttpOnlyCookieName, Value: "34567890", HttpOnly: true, Raw: "wt-http-token-cookie=34567890; HttpOnly"},
-		{Name: JsVisibleCookieName, Value: "t_abc_12", Raw: "wt-js-token-cookie=t_abc_12"},
+		{Name: HttpOnlyCookieName, Value: "34567890", HttpOnly: true, Path: "/", Raw: "wt-http-token-cookie=34567890; Path=/; HttpOnly"},
+		{Name: JsVisibleCookieName, Value: "t_abc_12", Path: "/", Raw: "wt-js-token-cookie=t_abc_12; Path=/"},
 	})
 }