From 532e9933f3e9463933346fa1312e503ce44474dc Mon Sep 17 00:00:00 2001
From: Joseph Doherty <dohejw01@gmail.com>
Date: Fri, 29 May 2026 07:44:33 -0400
Subject: [PATCH] feat(security): extend OtOpcUaCookieOptions with
 RequireHttpsCookie + ZB.MOM.WW cookie name default

---
 .../CookieOptions.cs                          | 24 ++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/src/Server/ZB.MOM.WW.OtOpcUa.Security/CookieOptions.cs b/src/Server/ZB.MOM.WW.OtOpcUa.Security/CookieOptions.cs
index ad581077..ee39de9b 100644
--- a/src/Server/ZB.MOM.WW.OtOpcUa.Security/CookieOptions.cs
+++ b/src/Server/ZB.MOM.WW.OtOpcUa.Security/CookieOptions.cs
@@ -1,12 +1,30 @@
 namespace ZB.MOM.WW.OtOpcUa.Security;
 
+/// <summary>
+///     Auth-cookie configuration bound from <c>Security:Cookie</c>. Consumed by a
+///     <c>Configure&lt;IOptions&lt;OtOpcUaCookieOptions&gt;, ILoggerFactory&gt;</c> step inside
+///     <c>AddOtOpcUaAuth</c> that copies the values onto <c>CookieAuthenticationOptions</c>.
+/// </summary>
 public sealed class OtOpcUaCookieOptions
 {
+    /// <summary>Configuration section name (<c>Security:Cookie</c>).</summary>
     public const string SectionName = "Security:Cookie";
 
-    /// <summary>Gets or sets the cookie name.</summary>
-    public string Name { get; set; } = "OtOpcUa.Auth";
+    /// <summary>
+    ///     Auth cookie name. Default uses the <c>ZB.MOM.WW</c> convention; mirrors ScadaBridge's
+    ///     <c>ZB.MOM.WW.ScadaBridge.Auth</c>. Changing this invalidates existing sessions on next
+    ///     deploy.
+    /// </summary>
+    public string Name { get; set; } = "ZB.MOM.WW.OtOpcUa.Auth";
 
-    /// <summary>Idle sliding window, in minutes (default 30).</summary>
+    /// <summary>Idle sliding-window length in minutes (default 30).</summary>
     public int ExpiryMinutes { get; set; } = 30;
+
+    /// <summary>
+    ///     Require HTTPS for the auth cookie. Default <c>true</c>: cookie is marked
+    ///     <c>SecurePolicy = Always</c>. Set to <c>false</c> ONLY for local dev stacks running
+    ///     plain HTTP — emits a startup Warning when disabled so the misconfiguration is
+    ///     audible.
+    /// </summary>
+    public bool RequireHttpsCookie { get; set; } = true;
 }