fix: enable secure cookies if app url starts with https

2024-11-15 03:50:11 +01:00 · 2024-09-24 12:21:41 +02:00 · 2024-09-24 12:21:41 +02:00 · 69752b8b41
commit 69752b8b41
parent ee73293c0f
3 changed files with 22 additions and 3 deletions
--- a/backend/src/auth/auth.controller.ts
+++ b/backend/src/auth/auth.controller.ts
@ -173,11 +173,17 @@ export class AuthController {
    @Res({ passthrough: true }) response: Response,
  ) {
    await this.authService.signOut(request.cookies.access_token);
-    response.cookie("access_token", "accessToken", { maxAge: -1 });
+
+    const isSecure = this.config.get("general.appUrl").startsWith("https");
+    response.cookie("access_token", "accessToken", {
+      maxAge: -1,
+      secure: isSecure,
+    });
    response.cookie("refresh_token", "", {
      path: "/api/auth/token",
      httpOnly: true,
      maxAge: -1,
+      secure: isSecure,
    });
  }

--- a/backend/src/auth/auth.service.ts
+++ b/backend/src/auth/auth.service.ts
@ -272,9 +272,11 @@ export class AuthService {
    refreshToken?: string,
    accessToken?: string,
  ) {
+    const isSecure = this.config.get("general.appUrl").startsWith("https");
    if (accessToken)
      response.cookie("access_token", accessToken, {
        sameSite: "lax",
+        secure: isSecure,
        maxAge: 1000 * 60 * 60 * 24 * 30 * 3, // 3 months
      });
    if (refreshToken)
@ -282,6 +284,7 @@ export class AuthService {
        path: "/api/auth/token",
        httpOnly: true,
        sameSite: "strict",
+        secure: isSecure,
        maxAge: 1000 * 60 * 60 * this.config.get("general.sessionDuration"),
      });
  }
--- a/backend/src/user/user.controller.ts
+++ b/backend/src/user/user.controller.ts
@ -19,10 +19,14 @@ import { UpdateOwnUserDTO } from "./dto/updateOwnUser.dto";
 import { UpdateUserDto } from "./dto/updateUser.dto";
 import { UserDTO } from "./dto/user.dto";
 import { UserSevice } from "./user.service";
+import { ConfigService } from "../config/config.service";

@Controller("users")
 export class UserController {
-  constructor(private userService: UserSevice) {}
+  constructor(
+    private userService: UserSevice,
+    private config: ConfigService,
+  ) {}

  // Own user operations
  @Get("me")
@ -49,11 +53,17 @@ export class UserController {
    @GetUser() user: User,
    @Res({ passthrough: true }) response: Response,
  ) {
-    response.cookie("access_token", "accessToken", { maxAge: -1 });
+    const isSecure = this.config.get("general.appUrl").startsWith("https");
+
+    response.cookie("access_token", "accessToken", {
+      maxAge: -1,
+      secure: isSecure,
+    });
    response.cookie("refresh_token", "", {
      path: "/api/auth/token",
      httpOnly: true,
      maxAge: -1,
+      secure: isSecure,
    });
    return new UserDTO().from(await this.userService.delete(user.id));
  }