From 77cb90fb9a194c666590a3b2dcff9e10016948da Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 30 Jan 2026 09:07:34 +0000
Subject: [PATCH] Fix OIDC session persistence by setting remember me cookie

- Add remember me cookie creation for OAuth2/OIDC login (non-2FA path)
- Set twofaRemember to true for OAuth2/OIDC login with 2FA
- Import required auth_service and timeutil packages
- Cookie expires after LOGIN_REMEMBER_DAYS like regular login

Co-authored-by: silverwind <115237+silverwind@users.noreply.github.com>
---
 routers/web/auth/oauth.go | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/routers/web/auth/oauth.go b/routers/web/auth/oauth.go
index b96ea17bc3..89c830b845 100644
--- a/routers/web/auth/oauth.go
+++ b/routers/web/auth/oauth.go
@@ -21,6 +21,8 @@ import (
 	"code.gitea.io/gitea/modules/optional"
 	"code.gitea.io/gitea/modules/session"
 	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/timeutil"
+	auth_service "code.gitea.io/gitea/services/auth"
 	source_service "code.gitea.io/gitea/services/auth/source"
 	"code.gitea.io/gitea/services/auth/source/oauth2"
 	"code.gitea.io/gitea/services/context"
@@ -380,6 +382,14 @@ func handleOAuth2SignIn(ctx *context.Context, authSource *auth.Source, u *user_m
 			return
 		}
 
+		// Set the remember me cookie for OAuth2 login to persist the session
+		nt, token, err := auth_service.CreateAuthTokenForUserID(ctx, u.ID)
+		if err != nil {
+			ctx.ServerError("CreateAuthTokenForUserID", err)
+			return
+		}
+		ctx.SetSiteCookie(setting.CookieRememberName, nt.ID+":"+token, setting.LogInRememberDays*timeutil.Day)
+
 		if err := updateSession(ctx, nil, map[string]any{
 			session.KeyUID:                  u.ID,
 			session.KeyUname:                u.Name,
@@ -408,7 +418,7 @@ func handleOAuth2SignIn(ctx *context.Context, authSource *auth.Source, u *user_m
 	if err := updateSession(ctx, nil, map[string]any{
 		// User needs to use 2FA, save data and redirect to 2FA page.
 		"twofaUid":      u.ID,
-		"twofaRemember": false,
+		"twofaRemember": true, // OAuth2 login should always be remembered
 	}); err != nil {
 		ctx.ServerError("updateSession", err)
 		return