fix: set explicit SameSite=Lax on auth cookies

[VaibhavAcharya]

- Summary

The JWT cookies set by /token and cleared on logout had no SameSite attribute, so we were leaning on the browser default of Lax. Setting it explicitly to Lax in code keeps behaviour stable across browsers and matches how we already pin Secure and HttpOnly. Nothing changes for users.

- Test plan

• go build ./... and go vet ./... pass.
• Added TestSetCookieTokenSameSite and TestClearCookieTokenSameSite that exercise the cookie helpers directly and assert the cookie carries SameSite=Lax. Both pass locally.
• Full integration suite runs in CI.

- Description for the changelog

Set explicit SameSite=Lax on auth cookies.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 351146b9-6c72-4543-9807-c2a46765bae8

📥 Commits

Reviewing files that changed from the base of the PR and between 30e9d81 and 1da1ee5.

📒 Files selected for processing (2)

• api/token.go
• api/token_cookie_test.go

---

📝 Walkthrough

Summary by CodeRabbit

• Bug Fixes

  • Updated authentication cookie handling to include security attributes for both token issuance and token clearing operations to maintain consistent and robust security protocols.

• Tests

  • Added comprehensive test coverage to verify that authentication cookies properly include security attributes in both issuance and clearing scenarios.

Walkthrough

This PR adds the SameSite=Lax attribute to HTTP cookies used for JWT token storage in the OAuth authentication endpoint. The attribute is applied consistently in both setCookieToken (when issuing a new token) and clearCookieToken (when clearing the token). Two new tests verify that both operations correctly set the SameSite, HttpOnly, and Secure cookie attributes.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: setting explicit SameSite=Lax on auth cookies, which matches the core changeset.
Description check	✅ Passed	The description is well-related to the changeset, explaining the rationale for the change, test coverage, and expected impact on users.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch vaibhavacharya/ex-1864-identity-cookie-missing-explicit-samesite-attribute-gotrue

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.2)

Error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions
The command is terminated due to an error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}