feat: add 'secureCookies' configuration variable to explicitly set the secure flag and prevent confusion

2024-11-15 03:50:11 +01:00 · 2024-11-14 17:31:17 +01:00 · 2024-11-14 17:31:17 +01:00 · 4ce64206be
commit 4ce64206be
parent 77eef187b7
5 changed files with 10 additions and 3 deletions
--- a/backend/prisma/seed/config.seed.ts
+++ b/backend/prisma/seed/config.seed.ts
@ -20,6 +20,10 @@ const configVariables: ConfigVariables = {
      defaultValue: "http://localhost:3000",
      secret: false,
    },
+    secureCookies: {
+      type: "boolean",
+      defaultValue: "false",
+    },
    showHomePage: {
      type: "boolean",
      defaultValue: "true",
--- a/backend/src/auth/auth.controller.ts
+++ b/backend/src/auth/auth.controller.ts
@ -176,7 +176,7 @@ export class AuthController {
      request.cookies.access_token,
    );

-    const isSecure = this.config.get("general.appUrl").startsWith("https");
+    const isSecure = this.config.get("general.secureCookies");
    response.cookie("access_token", "", {
      maxAge: -1,
      secure: isSecure,
--- a/backend/src/auth/auth.service.ts
+++ b/backend/src/auth/auth.service.ts
@ -334,7 +334,7 @@ export class AuthService {
    refreshToken?: string,
    accessToken?: string,
  ) {
-    const isSecure = this.config.get("general.appUrl").startsWith("https");
+    const isSecure = this.config.get("general.secureCookies");
    if (accessToken)
      response.cookie("access_token", accessToken, {
        sameSite: "lax",
--- a/backend/src/user/user.controller.ts
+++ b/backend/src/user/user.controller.ts
@ -53,7 +53,7 @@ export class UserController {
    @GetUser() user: User,
    @Res({ passthrough: true }) response: Response,
  ) {
-    const isSecure = this.config.get("general.appUrl").startsWith("https");
+    const isSecure = this.config.get("general.secureCookies");

    response.cookie("access_token", "accessToken", {
      maxAge: -1,
--- a/frontend/src/i18n/translations/en-US.ts
+++ b/frontend/src/i18n/translations/en-US.ts
@ -410,6 +410,9 @@ export default {
  "admin.config.general.app-url": "App URL",
  "admin.config.general.app-url.description":
    "On which URL Pingvin Share is available",
+  "admin.config.general.secure-cookies": "Secure cookies",
+  "admin.config.general.secure-cookies.description":
+    "Whether to set the secure flag on cookies. If enabled, the site will not function when accessed over HTTP.",
  "admin.config.general.show-home-page": "Show home page",
  "admin.config.general.show-home-page.description":
    "Whether to show the home page",