fix(dashboard): conditionally restore __Host- cookie prefix (SEC-03)

Restore the __Host- browser guarantees for the default secure deployment
without breaking plaintext/dev:
- DashboardServiceCollectionExtensions PostConfigure now resolves the cookie
  name as: explicit MxGateway:Dashboard:CookieName override wins; else
  __Host-MxGatewayDashboard when SecurePolicy==Always (RequireHttpsCookie
  true); else the plain MxGatewayDashboard default. Guard: never apply the
  __Host- prefix without Secure (browsers silently drop it).
- DashboardAuthenticationDefaults: add SecureCookieName const; keep the plain
  CookieName as the non-secure fallback.
- Docs corrected to the actual conditional contract (five stale claims):
  gateway.md, GatewayProcessDesign.md, ImplementationPlanGateway.md,
  GatewayDashboardDesign.md, CLAUDE.md; GatewayConfiguration.md phrasing
  tightened.
- Test: DashboardCookieOptionsTests asserts the name flips with
  RequireHttpsCookie and that an explicit override wins.

Server build clean (0 warnings); Dashboard tests 149/149.

Claude-Session: https://claude.ai/code/session_01DMXXvNuPekkkrTEyPNxEkW
This commit is contained in:
Joseph Doherty
2026-07-09 14:53:19 -04:00
parent 5a3951bcfd
commit 7d42c85345
9 changed files with 67 additions and 16 deletions
+3 -1
View File
@@ -451,7 +451,9 @@ Deliverables:
- LDAP bind against `MxGateway:Ldap`,
- LDAP-group → role mapping (`Admin` / `Viewer`) via
`MxGateway:Dashboard:GroupToRole`,
- HTTP-only secure cookie (`__Host-MxGatewayDashboard`),
- HTTP-only secure cookie (`__Host-MxGatewayDashboard` when
`RequireHttpsCookie` is true and no `CookieName` override; else
`MxGatewayDashboard`),
- `/hubs/token` bearer mint for SignalR connections,
- `/logout`,
- antiforgery protection,