cabinetoffice · IlyasBaqqari-CabinetOffice · Apr 22, 2024 · Apr 19, 2024 · Apr 19, 2024 · Apr 22, 2024
diff --git a/src/main/java/gov/cabinetoffice/gapuserservice/util/WebUtil.java b/src/main/java/gov/cabinetoffice/gapuserservice/util/WebUtil.java
@@ -36,6 +36,15 @@ public static Cookie buildSecureCookie(final String name, final String value) {
         return cookie;
     }
 
+    public static Cookie buildSecureCookie(final String name, final String value, final String domain) {
+        final Cookie cookie = new Cookie(name, value);
+        cookie.setSecure(true);
+        cookie.setHttpOnly(true);
+        cookie.setDomain(domain);
+        cookie.setPath("/");
+        return cookie;
+    }
+
     public static Cookie buildSecureCookie(final String name, final String value, final Integer maxAge) {
         final Cookie cookie = buildSecureCookie(name, value);
         cookie.setMaxAge(maxAge);

diff --git a/src/main/java/gov/cabinetoffice/gapuserservice/web/LoginControllerV2.java b/src/main/java/gov/cabinetoffice/gapuserservice/web/LoginControllerV2.java
@@ -71,6 +71,9 @@ public class LoginControllerV2 {
     @Value("${jwt.cookie-name}")
     public String userServiceCookieName;
 
+    @Value("${jwt.cookie-domain")
+    public String userServiceCookieDomain;
+
     @Value("${admin-base-url}")
     private String adminBaseUrl;
 
@@ -248,7 +251,7 @@ private Cookie addCustomJwtCookie(final HttpServletResponse response,
                                       final boolean isAdmin) {
         final Map<String, String> customJwtClaims = oneLoginService.generateCustomJwtClaims(userInfo, idToken);
         final String customServiceJwt = customJwtService.generateToken(customJwtClaims, isAdmin);
-        final Cookie customJwt = WebUtil.buildSecureCookie(userServiceCookieName, customServiceJwt);
+        final Cookie customJwt = WebUtil.buildSecureCookie(userServiceCookieName, customServiceJwt, userServiceCookieDomain);
         response.addCookie(customJwt);
         return customJwt;
     }

diff --git a/src/test/java/gov/cabinetoffice/gapuserservice/web/LoginControllerV2Test.java b/src/test/java/gov/cabinetoffice/gapuserservice/web/LoginControllerV2Test.java
@@ -91,6 +91,7 @@ void setUp() {
 
         loginController = new LoginControllerV2(oneLoginService, customJwtService, configProperties, encryptionService, oneLoginUserService, findProperties, loggingUtils);
         ReflectionTestUtils.setField(loginController, "userServiceCookieName", "userServiceCookieName");
+        ReflectionTestUtils.setField(loginController, "userServiceCookieDomain", "userServiceCookieDomain");
         ReflectionTestUtils.setField(loginController, "adminBaseUrl", "http:localhost:3000/adminBaseUrl");
         ReflectionTestUtils.setField(loginController, "applicantBaseUrl", "http:localhost:3000/applicantBaseUrl");
         ReflectionTestUtils.setField(loginController, "techSupportAppBaseUrl", "http:localhost:3000/techSupportAppBaseUrl");
@@ -290,7 +291,7 @@ void shouldCreateJwtCookie() throws JSONException {
             final String customToken = "a-custom-valid-token";
             final HttpServletResponse response = Mockito.spy(new MockHttpServletResponse());
             final Map<String, String> claims = Map.of("claim1", "value1", "claim2", "value2");
-            final Cookie cookie = WebUtil.buildSecureCookie("userServiceCookieName", "jwtToken");
+            final Cookie cookie = WebUtil.buildSecureCookie("userServiceCookieName", "jwtToken", "userServiceCookieDomain");
             final JSONObject tokenResponse = new JSONObject();
             tokenResponse.put("id_token", idToken).put("access_token", accessToken);