ryan/games
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 9 Wiki Activity

fix: convert auth flows from SSE to standard HTTP to fix session cookies #14

Merged
ryan merged 1 commits from fix/login-session-cookie into main 2026-03-11 20:14:35 +00:00
Conversation 0 Commits 1 Files Changed 7 +424 -102
ryan commented 2026-03-11 20:10:46 +00:00
Owner
Copy Link

Summary

  • Root cause: datastar.NewSSE() flushes HTTP response headers before SCS's session middleware can attach the Set-Cookie header, so the browser never receives the session cookie after login/register/logout
  • Convert login, register, and logout from Datastar SSE to standard HTML forms with HTTP redirects, allowing SCS to write cookies normally
  • Fix return_url capture on the login page — the query parameter was never being stored in the session, so redirect-after-login didn't work
  • Add 10 handler tests covering login (success, invalid password, unknown user, return URL), register (success, password mismatch, invalid username, short password, duplicate), and logout
## Summary - **Root cause:** `datastar.NewSSE()` flushes HTTP response headers before SCS's session middleware can attach the `Set-Cookie` header, so the browser never receives the session cookie after login/register/logout - Convert login, register, and logout from Datastar SSE to standard HTML forms with HTTP redirects, allowing SCS to write cookies normally - Fix `return_url` capture on the login page — the query parameter was never being stored in the session, so redirect-after-login didn't work - Add 10 handler tests covering login (success, invalid password, unknown user, return URL), register (success, password mismatch, invalid username, short password, duplicate), and logout
ryan added 1 commit 2026-03-11 20:10:47 +00:00
fix: convert auth flows from SSE to standard HTTP to fix session cookies
Some checks failed
CI / Deploy / test (pull_request) Successful in 33s
Details
CI / Deploy / lint (pull_request) Failing after 38s
Details
CI / Deploy / deploy (pull_request) Has been skipped
Details
72d31fd143 
Datastar's NewSSE() flushes HTTP headers before SCS's session middleware
can attach the Set-Cookie header, so the session cookie never reaches the
browser after login/register/logout.

Convert login, register, and logout to standard HTML forms with HTTP
redirects, which lets SCS write cookies normally. Also fix return_url
capture on the login page (was never being stored in the session).

Add handler tests covering login, register, and logout flows.
ryan merged commit 93147ffc46 into main 2026-03-11 20:14:35 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
ryan
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: ryan/games#14
Delete Branch "fix/login-session-cookie"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?