From 6418d27f5a792688a0674f411f9b459b392301e2 Mon Sep 17 00:00:00 2001
From: Khwezi Mngoma <khwezi@msn.com>
Date: Sun, 14 Jun 2026 12:50:13 +0200
Subject: [PATCH] Added cookie policies on AddLiteCharmsWebSecurity

---
 LiteCharms.Features/Extensions/Api.cs         | 32 +++++++++++--------
 .../LiteCharms.Features.csproj                |  1 +
 2 files changed, 20 insertions(+), 13 deletions(-)

diff --git a/LiteCharms.Features/Extensions/Api.cs b/LiteCharms.Features/Extensions/Api.cs
index f430d4e..0a72ceb 100644
--- a/LiteCharms.Features/Extensions/Api.cs
+++ b/LiteCharms.Features/Extensions/Api.cs
@@ -3,9 +3,6 @@ using LiteCharms.Features.Api;
 using LiteCharms.Features.Api.Configuration;
 using LiteCharms.Features.Api.Sdk;
 using LiteCharms.Features.Postgres;
-using Microsoft.AspNetCore.Hosting;
-using System.Runtime.InteropServices;
-using System.Security.Cryptography.X509Certificates;
 
 namespace LiteCharms.Features.Extensions;
 
@@ -75,39 +72,48 @@ public static class Api
             options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
             options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
         })
-        .AddCookie(CookieAuthenticationDefaults.AuthenticationScheme)
+        .AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options =>
+        {
+            options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
+            options.Cookie.SameSite = SameSiteMode.Lax;
+            options.Cookie.Name = "LiteCharmsApp.Session";
+        })
         .AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, options =>
         {
             options.Authority = authOptions.Authority;
-
             options.ClientId = authOptions.ClientId;
             options.ClientSecret = authOptions.ClientSecret;
             options.ResponseType = "code";
-
+        
             options.SaveTokens = true;
-            options.GetClaimsFromUserInfoEndpoint = true;
-
+            options.GetClaimsFromUserInfoEndpoint = true;        
+            options.CorrelationCookie.SecurePolicy = CookieSecurePolicy.Always;
+            options.CorrelationCookie.SameSite = SameSiteMode.None;
+        
+            options.NonceCookie.SecurePolicy = CookieSecurePolicy.Always;
+            options.NonceCookie.SameSite = SameSiteMode.None;
+        
             options.ForwardSignOut = CookieAuthenticationDefaults.AuthenticationScheme;
-
+        
             options.Scope.Clear();
             options.Scope.Add("openid");
             options.Scope.Add("profile");
             options.Scope.Add("email");
-
+        
             options.Events = new OpenIdConnectEvents
             {
                 OnRedirectToIdentityProviderForSignOut = context =>
                 {
                     var idToken = context.ProtocolMessage.IdTokenHint;
-
+        
                     if (string.IsNullOrEmpty(idToken))
                     {
                         var tokens = context.Properties.GetTokens();
                         var idTokenItem = tokens.FirstOrDefault(t => string.Equals(t.Name, "id_token", StringComparison.Ordinal));
-
+        
                         if (idTokenItem != null) context.ProtocolMessage.IdTokenHint = idTokenItem.Value;
                     }
-
+        
                     return Task.CompletedTask;
                 },
             };
diff --git a/LiteCharms.Features/LiteCharms.Features.csproj b/LiteCharms.Features/LiteCharms.Features.csproj
index 3d04244..3012a68 100644
--- a/LiteCharms.Features/LiteCharms.Features.csproj
+++ b/LiteCharms.Features/LiteCharms.Features.csproj
@@ -197,6 +197,7 @@
   <!-- Shared Usings -->
   <ItemGroup>
     <Using Include="Microsoft.AspNetCore.DataProtection" />
+    <Using Include="System.Security.Cryptography.X509Certificates" />
     <Using Include="Microsoft.AspNetCore.Components.Server.ProtectedBrowserStorage" />
     <Using Include="System.Text.Json.Serialization" />
     <Using Include="System.Reflection" />