From 189df418a2db129cdc86012441af8073029e09c3 Mon Sep 17 00:00:00 2001
From: AJ ONeal <aj@therootcompany.com>
Date: Mon, 2 Mar 2026 13:43:09 -0700
Subject: [PATCH] feat(auth): add TokenCookies to BasicRequestAuthenticator

Add a TokenCookies []string field checked after query params (step 5).
Each named cookie's value is passed directly to Authenticator.Authenticate
as a token, enabling cookie-based token flows alongside Bearer and query params.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 auth/request.go | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/auth/request.go b/auth/request.go
index 59f3a08..2c950f2 100644
--- a/auth/request.go
+++ b/auth/request.go
@@ -25,7 +25,7 @@ var ErrNoCredentials = errors.New("no credentials provided")
 
 // BasicRequestAuthenticator extracts credentials from an HTTP request and delegates
 // verification to a BasicAuthenticator. It supports Basic Auth, Authorization
-// header tokens, custom token headers, and query-parameter tokens.
+// header tokens, custom token headers, query-parameter tokens, and cookies.
 //
 // Use NewBasicRequestAuthenticator for sane defaults.
 type BasicRequestAuthenticator struct {
@@ -62,6 +62,10 @@ type BasicRequestAuthenticator struct {
 	// TokenQueryParams lists query parameter names checked for tokens,
 	// e.g. []string{"access_token", "token"}.
 	TokenQueryParams []string
+
+	// TokenCookies lists cookie names whose values are passed directly as
+	// tokens, e.g. []string{"id_token", "session"}.
+	TokenCookies []string
 }
 
 // NewBasicRequestAuthenticator returns a BasicRequestAuthenticator with sane defaults:
@@ -92,6 +96,7 @@ func NewBasicRequestAuthenticator(auth BasicAuthenticator) *BasicRequestAuthenti
 //  2. Authorization: <scheme> <token> (filtered by AuthorizationSchemes)
 //  3. Token headers (TokenHeaders)
 //  4. Query parameters (TokenQueryParams)
+//  5. Cookies (TokenCookies)
 //
 // Returns ErrNoCredentials if no credential form is present in the request.
 func (ra *BasicRequestAuthenticator) Authenticate(r *http.Request) (BasicPrinciple, error) {
@@ -135,5 +140,12 @@ func (ra *BasicRequestAuthenticator) Authenticate(r *http.Request) (BasicPrincip
 		}
 	}
 
+	// 5. Cookies
+	for _, name := range ra.TokenCookies {
+		if cookie, err := r.Cookie(name); err == nil && cookie.Value != "" {
+			return a.Authenticate("", cookie.Value)
+		}
+	}
+
 	return nil, ErrNoCredentials
 }