fix(review): harden payment, oauth, and migration paths

backend/internal/handler/auth_linuxdo_oauth_test.go

@@ -5,6 +5,7 @@ import (
 	"context"
 	"net/http"
 	"net/http/httptest"
+	"net/url"
 	"strings"
 	"testing"
 	"time"
@@ -226,6 +227,27 @@ func TestLinuxDoOAuthBindStartAcceptsAccessTokenCookie(t *testing.T) {
 	require.Equal(t, -1, accessTokenCookie.MaxAge)
 }
 
+func TestPrepareOAuthBindAccessTokenCookieSetsHttpOnlyCookie(t *testing.T) {
+	handler, client := newLinuxDoOAuthHandlerAndClient(t, false, config.LinuxDoConnectConfig{})
+	t.Cleanup(func() { _ = client.Close() })
+
+	recorder := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(recorder)
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/oauth/bind-token", nil)
+	req.Header.Set("Authorization", "Bearer access-token-value")
+	c.Request = req
+
+	handler.PrepareOAuthBindAccessTokenCookie(c)
+
+	require.Equal(t, http.StatusNoContent, recorder.Code)
+	accessTokenCookie := findCookie(recorder.Result().Cookies(), oauthBindAccessTokenCookieName)
+	require.NotNil(t, accessTokenCookie)
+	require.Equal(t, oauthBindAccessTokenCookiePath, accessTokenCookie.Path)
+	require.Equal(t, linuxDoOAuthCookieMaxAgeSec, accessTokenCookie.MaxAge)
+	require.True(t, accessTokenCookie.HttpOnly)
+	require.Equal(t, url.QueryEscape("access-token-value"), accessTokenCookie.Value)
+}
+
 func TestLinuxDoOAuthCallbackCreatesLoginPendingSessionForExistingIdentityUser(t *testing.T) {
 	upstream := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		switch r.URL.Path {