bug #1259 fix issue #1258 JWTCookieProvider does set flags cookie fla…

…gs when va… (mustapayev)

This PR was merged into the 3.x branch.

Discussion
----------

fix issue #1258 JWTCookieProvider does set flags cookie flags when va…

fixes issue #1258

Commits
-------

d3650a1 fix issue #1258 JWTCookieProvider does set flags cookie flags when value is false

Security/Http/Cookie/JWTCookieProvider.php

@@ -71,11 +71,11 @@ public function createCookie(string $jwt, ?string $name = null, $expiresAt = nul
             $expiresAt,
             $path ?: $this->defaultPath,
             $domain ?: $this->defaultDomain,
-            $secure ?: $this->defaultSecure,
-            $httpOnly ?: $this->defaultHttpOnly,
+            $secure ?? $this->defaultSecure,
+            $httpOnly ?? $this->defaultHttpOnly,
             false,
             $sameSite ?: $this->defaultSameSite,
-            $partitioned ?: $this->defaultPartitioned
+            $partitioned ?? $this->defaultPartitioned
         );
     }
 }

Tests/Security/Http/Cookie/JWTCookieProviderTest.php

@@ -4,6 +4,7 @@
 
 use Lexik\Bundle\JWTAuthenticationBundle\Security\Http\Cookie\JWTCookieProvider;
 use PHPUnit\Framework\TestCase;
+use Symfony\Component\HttpFoundation\Cookie;
 
 /**
  * JWTCookieProviderTest.
@@ -35,4 +36,100 @@ public function testCreateSessionCookie()
 
         $this->assertSame(0, $cookie->getExpiresTime());
     }
+
+    /**
+     * @dataProvider createCookieFlagDataProvider
+     */
+    public function testCreateCookieHttpOnlyFlag(bool $defaultHttpOnlyFlag, bool $httpOnlyParam, bool $expectedFlag): void
+    {
+        $cookieProvider = new JWTCookieProvider(
+            "default_name",
+            0,
+            Cookie::SAMESITE_LAX,
+            '/',
+            null,
+            true,
+            $defaultHttpOnlyFlag
+        );
+        $cookie = $cookieProvider->createCookie(
+            "header.payload.signature",
+            null,
+            null,
+            null,
+            null,
+            null,
+            null,
+            $httpOnlyParam
+        );
+
+        $this->assertSame($expectedFlag, $cookie->isHttpOnly());
+    }
+
+    /**
+     * @dataProvider createCookieFlagDataProvider
+     */
+    public function testCreateCookieSecureFlag(bool $defaultSecureFlag, bool $secureParam, bool $expectedFlag): void
+    {
+        $cookieProvider = new JWTCookieProvider(
+            "default_name",
+            0,
+            Cookie::SAMESITE_LAX,
+            '/',
+            null,
+            $defaultSecureFlag
+        );
+        $cookie = $cookieProvider->createCookie(
+            "header.payload.signature",
+            null,
+            null,
+            null,
+            null,
+            null,
+            $secureParam
+        );
+
+        $this->assertSame($expectedFlag, $cookie->isSecure());
+    }
+
+    /**
+     * @dataProvider createCookieFlagDataProvider
+     */
+    public function testCreateCookiePartitionedFlag(bool $defaultPartitionedFlag, bool $parititionedParam, bool $expectedFlag): void
+    {
+        $cookieProvider = new JWTCookieProvider(
+            "default_name",
+            0,
+            Cookie::SAMESITE_LAX,
+            '/',
+            null,
+            true,
+            true,
+            [],
+            $defaultPartitionedFlag
+        );
+        $cookie = $cookieProvider->createCookie(
+            "header.payload.signature",
+            null,
+            null,
+            null,
+            null,
+            null,
+            true,
+            true,
+            [],
+            $parititionedParam
+        );
+
+        $this->assertSame($expectedFlag, $cookie->isPartitioned());
+    }
+
+    public static function createCookieFlagDataProvider(): array
+    {
+        return [
+            [true, true, true],
+            [false, false, false],
+            [true, false, false],
+            [false, true, true],
+        ];
+    }
 }