Set cookies for OAuth flows when SendJWTHeader is enabled

This fixes umputun/remark42#1877 where OAuth
 authentication
fails when the send-jwt-header option is enabled. The problem occurred
 because:

1. When SendJWTHeader is enabled, the auth service only sends the JWT
as a header
   without setting cookies
2. During OAuth flows, the authentication involves redirects between
the app and the
   provider
3. HTTP headers don't persist through redirects, so the authentication
 state was lost

The solution:
- Modified the jwt.go token Set method to always set cookies during
OAuth handshake
  phases (when claims.Handshake != nil), even when SendJWTHeader is
enabled
- For normal authentication (non-handshake), maintain the original
behavior where
  SendJWTHeader=true will only set headers
- This ensures the OAuth flow works properly while maintaining the
correct behavior
  for API requests

Author: paskal

token/jwt.go

@@ -247,16 +247,25 @@ func (j *Service) Set(w http.ResponseWriter, claims Claims) (Claims, error) {
 		return Claims{}, fmt.Errorf("failed to make token token: %w", err)
 	}
 
-	if j.SendJWTHeader {
-		w.Header().Set(j.JWTHeaderKey, tokenString)
-		return claims, nil
-	}
-
 	cookieExpiration := 0 // session cookie
 	if !claims.SessionOnly && claims.Handshake == nil {
 		cookieExpiration = int(j.CookieDuration.Seconds())
 	}
 
+	// For OAuth handshake, always set cookies regardless of SendJWTHeader flag
+	// This allows the OAuth flow to complete successfully
+	needsCookies := claims.Handshake != nil
+
+	// Set the JWT in the header if requested
+	if j.SendJWTHeader {
+		w.Header().Set(j.JWTHeaderKey, tokenString)
+		// Skip setting cookies unless this is part of OAuth handshake
+		if !needsCookies {
+			return claims, nil
+		}
+	}
+
+	// Set cookies (always for OAuth handshake, or when SendJWTHeader is false)
 	jwtCookie := http.Cookie{Name: j.JWTCookieName, Value: tokenString, HttpOnly: true, Path: "/", Domain: j.JWTCookieDomain,
 		MaxAge: cookieExpiration, Secure: j.SecureCookies, SameSite: j.SameSite}
 	http.SetCookie(w, &jwtCookie)

v2/token/jwt.go

@@ -264,16 +264,25 @@ func (j *Service) Set(w http.ResponseWriter, claims Claims) (Claims, error) {
 		return Claims{}, fmt.Errorf("failed to make token token: %w", err)
 	}
 
-	if j.SendJWTHeader {
-		w.Header().Set(j.JWTHeaderKey, tokenString)
-		return claims, nil
-	}
-
 	cookieExpiration := 0 // session cookie
 	if !claims.SessionOnly && claims.Handshake == nil {
 		cookieExpiration = int(j.CookieDuration.Seconds())
 	}
 
+	// For OAuth handshake, always set cookies regardless of SendJWTHeader flag
+	// This allows the OAuth flow to complete successfully
+	needsCookies := claims.Handshake != nil
+
+	// Set the JWT in the header if requested
+	if j.SendJWTHeader {
+		w.Header().Set(j.JWTHeaderKey, tokenString)
+		// Skip setting cookies unless this is part of OAuth handshake
+		if !needsCookies {
+			return claims, nil
+		}
+	}
+
+	// Set cookies (always for OAuth handshake, or when SendJWTHeader is false)
 	jwtCookie := http.Cookie{Name: j.JWTCookieName, Value: tokenString, HttpOnly: true, Path: "/", Domain: j.JWTCookieDomain,
 		MaxAge: cookieExpiration, Secure: j.SecureCookies, SameSite: j.SameSite}
 	http.SetCookie(w, &jwtCookie)