fix: add cookie secure flag when site is using https

2 months ago · 1d0d87af6e
parent 7d4627ba0b
commit 1d0d87af6e
4 changed files with 16 additions and 6 deletions
--- a/server/controllers/auth.js
+++ b/server/controllers/auth.js
@ -4,8 +4,8 @@ const express = require('express')
 const ExpressBrute = require('express-brute')
 const BruteKnex = require('../helpers/brute-knex')
 const router = express.Router()
-const moment = require('moment')
 const _ = require('lodash')
+const commonHelper = require('../helpers/common')

 const bruteforce = new ExpressBrute(new BruteKnex({
  createTable: true,
@ -70,7 +70,7 @@ router.all('/login/:strategy/callback', async (req, res, next) => {
    const authResult = await WIKI.models.users.login({
      strategy: req.params.strategy
    }, { req, res })
-    res.cookie('jwt', authResult.jwt, { expires: moment().add(1, 'y').toDate() })
+    res.cookie('jwt', authResult.jwt, commonHelper.getCookieOpts())

    const loginRedirect = req.cookies['loginRedirect']
    if (loginRedirect === '/' && authResult.redirect) {
@ -102,7 +102,7 @@ router.post('/login', bruteforce.prevent, async (req, res, next) => {
        password: req.body.pass
      }, { req, res })
      req.brute.reset()
-      res.cookie('jwt', authResult.jwt, { expires: moment().add(1, 'y').toDate() })
+      res.cookie('jwt', authResult.jwt, commonHelper.getCookieOpts())
      res.redirect('/')
    } catch (err) {
      const { formStrategies, socialStrategies } = await WIKI.models.authentication.getStrategiesForLegacyClient()
@ -152,7 +152,7 @@ router.get('/verify/:token', bruteforce.prevent, async (req, res, next) => {
      res.redirect('/login')
    } else {
      const result = await WIKI.models.users.refreshToken(usr)
-      res.cookie('jwt', result.token, { expires: moment().add(1, 'years').toDate() })
+      res.cookie('jwt', result.token, commonHelper.getCookieOpts())
      res.redirect('/')
    }
  } catch (err) {
--- a/server/core/auth.js
+++ b/server/core/auth.js
@ -8,6 +8,7 @@ const crypto = require('crypto')
 const pem2jwk = require('pem-jwk').pem2jwk
 const randomBytesAsync = require('util').promisify(crypto.randomBytes)

+const commonHelper = require('../helpers/common')
 const securityHelper = require('../helpers/security')

 /* global WIKI */
@ -154,7 +155,7 @@ module.exports = {
          if (req.get('content-type') === 'application/json') {
            res.set('new-jwt', newToken.token)
          } else {
-            res.cookie('jwt', newToken.token, { expires: DateTime.utc().plus({ days: 365 }).toJSDate() })
+            res.cookie('jwt', newToken.token, commonHelper.getCookieOpts())
          }

          // Avoid caching this response
--- a/server/helpers/common.js
+++ b/server/helpers/common.js
@ -1,4 +1,7 @@
+/* global WIKI */
+
 const _ = require('lodash')
+const { DateTime } = require('luxon')

 module.exports = {
  /**
@ -38,5 +41,11 @@ module.exports = {
      })
      return result
    }, {})
+  },
+  getCookieOpts () {
+    return {
+      expires: DateTime.utc().plus({ days: 365 }).toJSDate(),
+      ...(WIKI.config.host.startsWith('https://') ? { secure: true } : {})
+    }
  }
 }
--- a/server/models/users.js
+++ b/server/models/users.js
@ -502,7 +502,7 @@ module.exports = class User extends Model {
      if (!usr.isActive) {
        throw new WIKI.Error.AuthAccountBanned()
      }
-      
+
      await WIKI.models.users.query().patch({
        password: newPassword,
        mustChangePwd: false