Merge commit from fork

Closes two independent draft advisories in a single PR. Each fix is
narrow, defense-in-depth, and verified by a dedicated test.

GHSA-rqfj-vv8r-xhqc (medium, Secure cookies):
- Add ServerConfig.CookieSecure *bool with CookieSecureResolved() that
  resolves explicit value first, otherwise infers true when both
  tls_cert and tls_key are set.
- Thread the flag through SessionManager and OIDC via SetCookieSecure
  setters; Web.WithCookieSecure propagates to both (nil-safe for OIDC).
- Update every cookie write site to set Secure: sm.cookieSecure /
  o.cookieSecure. Logout and OIDC state-clear cookies also pick up the
  full HttpOnly/Secure/SameSite=Lax fingerprint so browsers reliably
  replace the live cookies (RFC 6265 attribute matching).

GHSA-6vgg-xhvh-38ff (low, mobile-bundle Cache-Control):
- handleMobileBundle now sets Cache-Control: no-store, Pragma: no-cache,
  Expires: 0 alongside Content-Type. The endpoint returns a freshly
  minted X25519 private key inline, so any cache between server and
  operator must drop the response. X-Content-Type-Options: nosniff is
  already set globally by the securityHeaders middleware in
  cli/serve.go (verified by cli/security_headers_test.go), so the
  handler does not duplicate it.

Note: GHSA-wx87-29cj-m659 (constant-time legacy-key compare) was part
of the original bundle but is now obsoleted on main — the legacy
config-file API key fallback was removed in 56c07b7, eliminating the
timing oracle entirely. The corresponding advisory should be closed
with reference to that commit rather than fixed here.

Author: juev

internal/api/mobile_bundle.go

@@ -69,8 +69,15 @@ func (s *Server) handleMobileBundle(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	// Return YAML bundle with proper content-type
+	// Return YAML bundle with proper content-type. The bundle inlines a
+	// freshly-minted X25519 private key, so suppress every layer of cache
+	// between server and operator (intermediate proxies/CDNs, browser disk
+	// cache). X-Content-Type-Options is set globally by the securityHeaders
+	// middleware in cli/serve.go. Closes GHSA-6vgg-xhvh-38ff.
 	w.Header().Set("Content-Type", "application/yaml; charset=utf-8")
+	w.Header().Set("Cache-Control", "no-store")
+	w.Header().Set("Pragma", "no-cache")
+	w.Header().Set("Expires", "0")
 	w.WriteHeader(http.StatusOK)
 	if _, err := w.Write(bundle); err != nil {
 		s.logger.Error("write mobile bundle response", "error", err)

internal/api/mobile_bundle_test.go

@@ -52,6 +52,20 @@ func TestHandleMobileBundle_Success(t *testing.T) {
 		t.Errorf("Content-Type = %q, want 'application/yaml; charset=utf-8'", ct)
 	}
 
+	// Bundle inlines a freshly-minted X25519 private key — every cache
+	// between server and operator must drop the response. X-Content-Type-Options
+	// is covered by the securityHeaders middleware (cli/security_headers_test.go).
+	// Regression for GHSA-6vgg-xhvh-38ff.
+	for header, want := range map[string]string{
+		"Cache-Control": "no-store",
+		"Pragma":        "no-cache",
+		"Expires":       "0",
+	} {
+		if got := w.Header().Get(header); got != want {
+			t.Errorf("%s = %q, want %q", header, got, want)
+		}
+	}
+
 	// Verify body is valid YAML with expected keys
 	var yamlData map[string]interface{}
 	if err := yaml.Unmarshal(w.Body.Bytes(), &yamlData); err != nil {

internal/cli/serve.go

@@ -223,6 +223,11 @@ func Serve(configPath string) error {
 		logger.Info("oidc enabled", "issuer", cfg.OIDC.Issuer)
 	}
 
+	// Resolve cookie_secure AFTER any OIDC wiring so the OIDC state cookie
+	// picks up the same flag (the helper propagates to both session manager
+	// and OIDC). Closes GHSA-rqfj-vv8r-xhqc.
+	webUI.WithCookieSecure(cfg.CookieSecureResolved())
+
 	mux := buildMux(webUI, apiSrv)
 
 	httpServer := &http.Server{

internal/config/server.go

@@ -78,6 +78,25 @@ type ServerConfig struct {
 	// CAAutoRotate configures the periodic CA auto-rotation scanner (issue #110).
 	// Disabled by default — operators must opt in by setting Enabled=true.
 	CAAutoRotate CAAutoRotateConfig `yaml:"ca_auto_rotate,omitempty"`
+
+	// CookieSecure controls the `Secure` attribute on session and OIDC
+	// state cookies (GHSA-rqfj-vv8r-xhqc). When unset, the effective
+	// value is inferred from the TLS configuration: true if both
+	// tls_cert and tls_key are populated, false otherwise. Operators
+	// terminating TLS at a reverse proxy must set this to true
+	// explicitly — `rate_limit.trust_proxy_header` is not a reliable
+	// signal that the proxy speaks TLS to clients.
+	CookieSecure *bool `yaml:"cookie_secure,omitempty"`
+}
+
+// CookieSecureResolved returns the effective Secure-cookie flag for this
+// configuration. Explicit value wins; if unset, infer from the presence
+// of TLS material on the server itself.
+func (c ServerConfig) CookieSecureResolved() bool {
+	if c.CookieSecure != nil {
+		return *c.CookieSecure
+	}
+	return c.TLSCert != "" && c.TLSKey != ""
 }
 
 // EnrollmentTokenTTLDuration returns the configured default token TTL parsed

internal/config/server_test.go

@@ -288,3 +288,29 @@ ca_auto_rotate:
 		t.Fatal("expected error for interval < 1m, got nil")
 	}
 }
+
+// TestCookieSecureResolved covers GHSA-rqfj-vv8r-xhqc's resolution rules:
+// explicit cookie_secure wins; otherwise the value is inferred from the
+// presence of TLS material on the server.
+func TestCookieSecureResolved(t *testing.T) {
+	ptr := func(b bool) *bool { return &b }
+	cases := []struct {
+		name string
+		cfg  ServerConfig
+		want bool
+	}{
+		{"explicit_true", ServerConfig{CookieSecure: ptr(true)}, true},
+		{"explicit_false_overrides_tls", ServerConfig{CookieSecure: ptr(false), TLSCert: "c", TLSKey: "k"}, false},
+		{"unset_no_tls", ServerConfig{}, false},
+		{"unset_with_tls", ServerConfig{TLSCert: "c", TLSKey: "k"}, true},
+		{"unset_partial_tls_cert_only", ServerConfig{TLSCert: "c"}, false},
+		{"unset_partial_tls_key_only", ServerConfig{TLSKey: "k"}, false},
+	}
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			if got := c.cfg.CookieSecureResolved(); got != c.want {
+				t.Errorf("CookieSecureResolved() = %v, want %v", got, c.want)
+			}
+		})
+	}
+}

internal/web/oidc.go

@@ -39,13 +39,27 @@ type OIDC struct {
 	stateMu sync.Mutex
 	states  map[string]time.Time // state token → expiry
 
+	// cookieSecure controls the Secure attribute on the OIDC state cookie.
+	// Set via SetCookieSecure from the server's resolved config value.
+	// Closes GHSA-rqfj-vv8r-xhqc.
+	cookieSecure bool
+
 	// provisionCA is invoked after a new operator is successfully created
 	// during OIDC first-time login. Enables auto-provisioning of default CA
 	// for user-role operators without coupling OIDC to Web struct.
 	// If nil, auto-provision is skipped.
 	provisionCA func(ctx context.Context, op *models.Operator) error
 }
 
+// SetCookieSecure controls the Secure attribute on the OIDC state cookie.
+// Called at startup from cli/serve.go with the resolved server-config value.
+func (o *OIDC) SetCookieSecure(secure bool) {
+	if o == nil {
+		return
+	}
+	o.cookieSecure = secure
+}
+
 // NewOIDC builds an OIDC integration from the given config. It contacts the
 // issuer to fetch the OIDC discovery document. Returns (nil, nil) if OIDC is
 // disabled or unconfigured.
@@ -100,6 +114,7 @@ func (o *OIDC) HandleLogin(rw http.ResponseWriter, r *http.Request) {
 		Value:    state,
 		Path:     "/",
 		HttpOnly: true,
+		Secure:   o.cookieSecure,
 		SameSite: http.SameSiteLaxMode,
 		MaxAge:   int(oidcStateTTL.Seconds()),
 	})
@@ -122,7 +137,18 @@ func (o *OIDC) HandleCallback(rw http.ResponseWriter, r *http.Request) {
 		http.Error(rw, "invalid oidc state", http.StatusBadRequest)
 		return
 	}
-	http.SetCookie(rw, &http.Cookie{Name: oidcStateCookieName, Value: "", Path: "/", MaxAge: -1})
+	// Match every attribute of the live state cookie so the browser
+	// replaces it reliably (RFC 6265). Without HttpOnly/SameSite/Secure
+	// matching, some CDNs and corporate proxies keep the original around.
+	http.SetCookie(rw, &http.Cookie{
+		Name:     oidcStateCookieName,
+		Value:    "",
+		Path:     "/",
+		HttpOnly: true,
+		Secure:   o.cookieSecure,
+		SameSite: http.SameSiteLaxMode,
+		MaxAge:   -1,
+	})
 
 	code := r.URL.Query().Get("code")
 	if code == "" {

internal/web/oidc_test.go

@@ -129,3 +129,25 @@ func TestOIDC_HandleCallbackBadState(t *testing.T) {
 		t.Errorf("status = %d, want 400 for invalid state", rec.Code)
 	}
 }
+
+// TestOIDC_SetCookieSecure covers GHSA-rqfj-vv8r-xhqc's OIDC arm. The
+// setter must be nil-safe (it is called unconditionally from Web.WithCookieSecure
+// even when OIDC is not configured) and must propagate the flag into
+// every state-cookie write — both the live-state set in HandleLogin and
+// the delete-cookie in HandleCallback.
+func TestOIDC_SetCookieSecure(t *testing.T) {
+	// nil-safety: must not panic when no OIDC is configured.
+	var nilOIDC *OIDC
+	nilOIDC.SetCookieSecure(true)
+
+	// Setter writes to the field.
+	o := &OIDC{}
+	o.SetCookieSecure(true)
+	if !o.cookieSecure {
+		t.Error("SetCookieSecure(true) did not propagate")
+	}
+	o.SetCookieSecure(false)
+	if o.cookieSecure {
+		t.Error("SetCookieSecure(false) did not propagate")
+	}
+}

internal/web/session.go

@@ -23,14 +23,22 @@ const (
 
 // SessionManager handles DB-backed cookie sessions for operator users.
 type SessionManager struct {
-	store store.Store
+	store        store.Store
+	cookieSecure bool
 }
 
 // NewSessionManager creates a new session manager backed by the given store.
 func NewSessionManager(s store.Store) *SessionManager {
 	return &SessionManager{store: s}
 }
 
+// SetCookieSecure controls the Secure attribute on session cookies. Called
+// at startup from cli/serve.go with the resolved server-config value.
+// Closes GHSA-rqfj-vv8r-xhqc.
+func (sm *SessionManager) SetCookieSecure(secure bool) {
+	sm.cookieSecure = secure
+}
+
 // LoginResult is the outcome of the first authentication step.
 type LoginResult struct {
 	Operator   *models.Operator
@@ -92,6 +100,7 @@ func (sm *SessionManager) Login(w http.ResponseWriter, r *http.Request, username
 		Value:    token,
 		Path:     "/",
 		HttpOnly: true,
+		Secure:   sm.cookieSecure,
 		SameSite: http.SameSiteLaxMode,
 		MaxAge:   cookieMaxAge,
 	})
@@ -123,6 +132,7 @@ func (sm *SessionManager) StartAuthenticatedSession(w http.ResponseWriter, r *ht
 		Value:    token,
 		Path:     "/",
 		HttpOnly: true,
+		Secure:   sm.cookieSecure,
 		SameSite: http.SameSiteLaxMode,
 		MaxAge:   int(sessionDuration.Seconds()),
 	})
@@ -162,6 +172,7 @@ func (sm *SessionManager) CompleteTwoFactor(w http.ResponseWriter, r *http.Reque
 		Value:    cookie.Value,
 		Path:     "/",
 		HttpOnly: true,
+		Secure:   sm.cookieSecure,
 		SameSite: http.SameSiteLaxMode,
 		MaxAge:   int(sessionDuration.Seconds()),
 	})
@@ -176,11 +187,17 @@ func (sm *SessionManager) Logout(w http.ResponseWriter, r *http.Request) {
 			slog.Debug("delete session", "error", err)
 		}
 	}
+	// Match every attribute of the live session cookie so browsers reliably
+	// replace it. RFC 6265 requires (Name, Domain, Path) to match; setting
+	// SameSite and Secure to the same values prevents fingerprint mismatches
+	// that have caused stale-cookie bugs in production CDNs.
 	http.SetCookie(w, &http.Cookie{
 		Name:     sessionCookieName,
 		Value:    "",
 		Path:     "/",
 		HttpOnly: true,
+		Secure:   sm.cookieSecure,
+		SameSite: http.SameSiteLaxMode,
 		MaxAge:   -1,
 	})
 }

internal/web/web.go

@@ -131,6 +131,14 @@ func (w *Web) recordLogin(result, factor string) {
 // before ServeHTTP is invoked. Default is false.
 func (w *Web) AllowSelfRegistration(allow bool) { w.allowSelfRegistration = allow }
 
+// WithCookieSecure threads the resolved cookie-secure flag through to the
+// session manager and (if attached) OIDC. Call after WithOIDC so the OIDC
+// state cookie picks up the same flag. Closes GHSA-rqfj-vv8r-xhqc.
+func (w *Web) WithCookieSecure(secure bool) {
+	w.session.SetCookieSecure(secure)
+	w.oidc.SetCookieSecure(secure) // nil-safe inside SetCookieSecure
+}
+
 // WithOIDC attaches an OIDC provider and registers its login/callback routes.
 // Must be called before ServeHTTP is invoked.
 func (w *Web) WithOIDC(o *OIDC) {

internal/web/web_test.go

@@ -99,6 +99,69 @@ func TestLogin_Success(t *testing.T) {
 	}
 }
 
+// TestSession_CookieSecureFlag covers GHSA-rqfj-vv8r-xhqc: when the
+// resolved cookie_secure flag is true, both the live session cookie and
+// the logout-delete cookie must carry Secure. Mirrors the OIDC test for
+// the state cookie.
+func TestSession_CookieSecureFlag(t *testing.T) {
+	w, _ := newTestWeb(t)
+	w.WithCookieSecure(true)
+
+	cookies := loginSession(t, w)
+	var live *http.Cookie
+	for _, c := range cookies {
+		if c.Name == sessionCookieName {
+			live = c
+			break
+		}
+	}
+	if live == nil {
+		t.Fatal("session cookie not set after login")
+	}
+	if !live.Secure {
+		t.Error("session cookie missing Secure attribute")
+	}
+	if !live.HttpOnly {
+		t.Error("session cookie missing HttpOnly attribute")
+	}
+	if live.SameSite != http.SameSiteLaxMode {
+		t.Errorf("session cookie SameSite = %v, want Lax", live.SameSite)
+	}
+
+	// Re-issuing the logout cookie with mismatched attributes leaves
+	// browsers holding the original — assert the delete cookie matches
+	// the live cookie's fingerprint.
+	logoutReq := httptest.NewRequest("GET", "/ui/logout", nil)
+	logoutReq.AddCookie(live)
+	logoutRec := httptest.NewRecorder()
+	w.ServeHTTP(logoutRec, logoutReq)
+	var del *http.Cookie
+	for _, c := range logoutRec.Result().Cookies() {
+		if c.Name == sessionCookieName {
+			del = c
+		}
+	}
+	if del == nil {
+		t.Fatal("logout did not emit a session-cookie delete")
+	}
+	if !del.Secure || !del.HttpOnly || del.SameSite != http.SameSiteLaxMode {
+		t.Errorf("logout cookie attribute drift: Secure=%v HttpOnly=%v SameSite=%v",
+			del.Secure, del.HttpOnly, del.SameSite)
+	}
+}
+
+// TestSession_CookieSecureDefault confirms that without an explicit
+// WithCookieSecure call, the cookie is NOT marked Secure — required so
+// plain-HTTP local development stays usable.
+func TestSession_CookieSecureDefault(t *testing.T) {
+	w, _ := newTestWeb(t)
+	for _, c := range loginSession(t, w) {
+		if c.Name == sessionCookieName && c.Secure {
+			t.Error("session cookie unexpectedly Secure when flag not set")
+		}
+	}
+}
+
 func TestLogin_WrongPassword(t *testing.T) {
 	w, _ := newTestWeb(t)
 	form := url.Values{"username": {testUsername}, "password": {"wrong"}}