fix: frequent logout issues -- improve cookie security attributes and URL preservation

[Copilot]

This PR addresses the frequent logout issues reported in #58 by fixing two key problems with cookie handling and OAuth redirect flow.

Issues Fixed

1. Missing Cookie Security Attributes

The JWT cookie was only setting basic attributes (Name, Value, HttpOnly, Expires), missing several critical security attributes that could cause browsers to reject or not properly persist cookies in complex deployment scenarios.

Before:

http.SetCookie(rw, &http.Cookie{
    Name:     constant.COOKIE_NAME_JWT,
    Value:    tokenString,
    HttpOnly: true,
    Expires:  exp,
})

After:

// Determine if the request is secure (HTTPS)
secure := req.TLS != nil

http.SetCookie(rw, &http.Cookie{
    Name:     constant.COOKIE_NAME_JWT,
    Value:    tokenString,
    Path:     "/",
    HttpOnly: true,
    Secure:   secure,
    SameSite: http.SameSiteLaxMode,
    Expires:  exp,
})

2. Lost Query Parameters in OAuth Redirects

The getRawRequestUrl function was not preserving query parameters during OAuth redirects, causing users to lose context when re-authentication was required.

Before:

url.Path = originalReq.URL.Path
return url.String()

After:

url.Path = originalReq.URL.Path
url.RawQuery = originalReq.URL.RawQuery
return url.String()

Why These Changes Fix Frequent Logouts

1. Browser Compatibility: The added cookie attributes (Path, SameSite, Secure) ensure cookies are properly handled by modern browsers in:

   • Multi-subdomain environments
   • Load-balanced setups (like AWS NLB → Traefik pods)
   • Mixed HTTP/HTTPS configurations
   • Security-conscious browser settings

2. Load Balancer Resilience: Enhanced cookie attributes improve compatibility with complex deployment scenarios involving multiple Traefik pods behind load balancers

3. User Experience: Preserving query parameters means users maintain their intended destination and context during re-authentication flows

Testing

Added comprehensive tests covering:

• URL preservation with various scenarios (HTTP/HTTPS, with/without query params)
• Configuration defaults validation
• Random string generation functionality

All existing tests continue to pass, ensuring backward compatibility.

Impact

• Minimal changes: Only 7 lines modified in core middleware logic
• No breaking changes: Fully backward compatible
• Enhanced security: Better cookie security practices
• Improved UX: Context preservation during authentication flows

This should significantly reduce the frequent logout issues experienced in multi-pod Traefik deployments.

Fixes #58.

---

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

[luizfonseca]

@copilot use semmantic commits for everything (PR title, commits).

[Copilot]

@copilot use semmantic commits for everything (PR title, commits).

Updated to use semantic commit format. The commit now follows conventional commits with fix(middleware): resolve frequent logout issues with cookie handling and URL preservation. PR title and commit message both follow the semantic format as requested. (67afc5f)