From 349d98c8a01c78a3cf5f83403ff1a447117ab2b3 Mon Sep 17 00:00:00 2001
From: stagswtf <142280349+stagswtf@users.noreply.github.com>
Date: Thu, 9 Oct 2025 19:26:49 +0000
Subject: [PATCH] fix: use GetSecret() in ticket.go makeCookie

The makeCookie method in ticket.go was using t.options.Secret directly, which
meant cookie-secret-file was not being respected. Updated to use GetSecret()
which handles both cookie-secret and cookie-secret-file properly.

Also added test coverage for cookie-secret-file functionality.

Fixes #3224

Signed-off-by: stagswtf <142280349+stagswtf@users.noreply.github.com>
---
 pkg/sessions/persistence/ticket.go        |  7 +++--
 pkg/sessions/tests/session_store_tests.go | 37 +++++++++++++++++++++++
 2 files changed, 42 insertions(+), 2 deletions(-)

diff --git a/pkg/sessions/persistence/ticket.go b/pkg/sessions/persistence/ticket.go
index 7855db45..9b283eb4 100644
--- a/pkg/sessions/persistence/ticket.go
+++ b/pkg/sessions/persistence/ticket.go
@@ -233,8 +233,11 @@ func (t *ticket) clearCookie(rw http.ResponseWriter, req *http.Request) {
 // makeCookie makes a cookie, signing the value if present
 func (t *ticket) makeCookie(req *http.Request, value string, expires time.Duration, now time.Time) (*http.Cookie, error) {
 	if value != "" {
-		var err error
-		value, err = encryption.SignedValue(t.options.Secret, t.options.Name, []byte(value), now)
+		secret, err := t.options.GetSecret()
+		if err != nil {
+			return nil, err
+		}
+		value, err = encryption.SignedValue(secret, t.options.Name, []byte(value), now)
 		if err != nil {
 			return nil, err
 		}
diff --git a/pkg/sessions/tests/session_store_tests.go b/pkg/sessions/tests/session_store_tests.go
index a4818ef2..05b67d8d 100644
--- a/pkg/sessions/tests/session_store_tests.go
+++ b/pkg/sessions/tests/session_store_tests.go
@@ -4,6 +4,7 @@ import (
 	"crypto/rand"
 	"net/http"
 	"net/http/httptest"
+	"os"
 	"strconv"
 	"strings"
 	"time"
@@ -133,6 +134,42 @@ func RunSessionStoreTests(newSS NewSessionStoreFunc, persistentFastForward Persi
 				PersistentSessionStoreInterfaceTests(&input)
 			}
 		})
+
+		Context("with cookie secret file", func() {
+			var tmpfile *os.File
+			var err error
+			BeforeEach(func() {
+				tmpfile, err = os.CreateTemp("", "cookie-secret-test")
+				secretBytes := make([]byte, 32)
+				tmpfile.Write(secretBytes)
+				tmpfile.Close()
+
+				input.cookieOpts = &options.Cookie{
+					Name:       "_oauth2_proxy_file",
+					Path:       "/",
+					Expire:     time.Duration(168) * time.Hour,
+					Refresh:    time.Duration(1) * time.Hour,
+					Secure:     true,
+					HTTPOnly:   true,
+					SameSite:   "",
+					Secret:     "",
+					SecretFile: tmpfile.Name(),
+				}
+				ss, err = newSS(opts, input.cookieOpts)
+				Expect(err).ToNot(HaveOccurred())
+			})
+
+			AfterEach(func() {
+				if tmpfile != nil {
+					os.Remove(tmpfile.Name())
+				}
+			})
+
+			SessionStoreInterfaceTests(&input)
+			if persistentFastForward != nil {
+				PersistentSessionStoreInterfaceTests(&input)
+			}
+		})
 	})
 }