Don't touch authentication cookie on skipped logins

[doubliez]

Related issue

This will fix #1557

Proposed changes

When login was skipped, return the session and don't touch the existing authentication cookie (which would alter its expiry date).

Checklist

• I have read the contributing guidelines
• I have read the security policy
• I confirm that this pull request does not address a security vulnerability. If this pull request addresses a security
  vulnerability, I confirm that I got green light (please contact security@ory.sh) from the maintainers to push the changes.
• I have added tests that prove my fix is effective or that my feature works
• I have added necessary documentation within the code base (if appropriate)
• I have documented my changes in the developer guide (if appropriate)

Further comments

[CLAassistant]

All committers have signed the CLA.

[aeneasr]

This looks good! Could you also add a test please? If you need guidance let me know

[aeneasr]

Oh and please sign the CLA :)

[aeneasr]

Ping :)

[doubliez]

I signed the CLA. I'll try to add a test this week. I assume there was no test for this specific case then? ;)

[aeneasr]

Perfect - yes exactly ;)

[doubliez]

@aeneasr I updated the docs regarding RememberFor value for login.

Regarding the tests I was thinking of retrieving the auth cookie from the cookie jar and making sure the Expires value is set correctly, but it seems the net/http/cookiejar package doesn't allow inspecting those values. When retrieving cookies with cookiejar.Cookies(u) it returns only the Name and Value attributes for the cookies: https://github.com/golang/go/blob/master/src/net/http/cookiejar/jar.go#L219

for _, e := range selected {
	cookies = append(cookies, &http.Cookie{Name: e.Name, Value: e.Value})
}

So I'm not sure how to properly test this.

[aeneasr]

Ah, I see - I think that's why the tests didn't catch it, because the Cookie Jar doesn't really concern itself with sessions like the browser does.

I think the only way to get the cookie value is to somehow use the gorilla session decoder to get it (I've tried before but failed but it should in theory be possible IMO) or write a small endpoint and add it to the test server that simply echoes the cookie values as e.g. a json string.

[doubliez]

@aeneasr Since I'm not too familiar with Go and don't have much time to work on this, can you take it from there?

[aeneasr]

SGTM - thank you for your contribution!