Merge pull request #92 from DigiChanges/fix/LC/refresh-token

feat: set secure and sameSite cookies from env variables
Murzbul · Mar 2, 2022 · c243ac4 · c243ac4
2 parents 732bcfc + dc14da3
commit c243ac4
Show file tree

Hide file tree

Showing 9 changed files with 10,895 additions and 6 deletions.
diff --git a/.env.dev b/.env.dev
@@ -2,6 +2,9 @@
 NODE_ENV=development
 NODE_PATH=/home/node/app
 
+SET_COOKIE_SECURE=false
+SET_COOKIE_SAME_SITE=none
+
 # Node.js server configuration
 SERVER_PORT=8089
 

diff --git a/.env.prod b/.env.prod
@@ -2,6 +2,9 @@
 NODE_ENV=production
 NODE_PATH=/home/node/app
 
+SET_COOKIE_SECURE=true
+SET_COOKIE_SAME_SITE=none
+
 # Node.js server configuration
 SERVER_PORT=8089
 

diff --git a/config/development.json b/config/development.json
@@ -2,6 +2,8 @@
   "env": "development",
   "nodePath": "/home/node/app",
   "serverPort": 8089,
+  "setCookieSecure": false,
+  "setCookieSameSite": "none",
   "auth": {
     "authorization": false
   },

diff --git a/config/production.json b/config/production.json
@@ -2,6 +2,8 @@
   "env": "production",
   "nodePath": "/home/node/app",
   "serverPort": 80,
+  "setCookieSecure": true,
+  "setCookieSameSite": "none",
     "auth": {
       "authorization": true
   },

diff --git a/src/Auth/Presentation/Handlers/Express/AuthHandler.ts b/src/Auth/Presentation/Handlers/Express/AuthHandler.ts
@@ -69,8 +69,9 @@ class AuthHandler
                 expires: moment.unix(payload.getExpires()).toDate(),
                 maxAge: payload.getExpires(),
                 path: '/api/auth/refresh-token',
-                secure: MainConfig.getInstance().getConfig().env === 'production',
-                httpOnly: true
+                secure: MainConfig.getInstance().getConfig().setCookieSecure,
+                httpOnly: true,
+                sameSite: MainConfig.getInstance().getConfig().setCookieSameSite
             });
 
         void await this.responder.send(payload, req, res, StatusCode.HTTP_CREATED, new AuthTransformer());
@@ -110,8 +111,9 @@ class AuthHandler
                 expires: moment.unix(payload.getExpires()).toDate(),
                 maxAge: payload.getExpires(),
                 path: '/api/auth/refresh-token',
-                secure: MainConfig.getInstance().getConfig().env === 'production',
-                httpOnly: true
+                secure: MainConfig.getInstance().getConfig().setCookieSecure,
+                httpOnly: true,
+                sameSite: MainConfig.getInstance().getConfig().setCookieSameSite
             });
 
         void await this.responder.send(payload, req, res, StatusCode.HTTP_CREATED, new AuthTransformer());

diff --git a/src/Auth/Presentation/Handlers/Koa/AuthHandler.ts b/src/Auth/Presentation/Handlers/Koa/AuthHandler.ts
@@ -19,6 +19,7 @@ import RegisterRequest from '../../Requests/RegisterRequest';
 import UpdateMeRequest from '../../Requests/UpdateMeRequest';
 import VerifyYourAccountRequest from '../../Requests/VerifyYourAccountRequest';
 import RefreshTokenMiddleware from '../../Middlewares/Koa/RefreshTokenMiddleware';
+import MainConfig from '../../../../Config/mainConfig';
 
 const routerOpts: Router.IRouterOptions = {
     prefix: '/api/auth'
@@ -55,7 +56,9 @@ AuthHandler.post('/login', async(ctx: Koa.ParameterizedContext & any) =>
             expires: moment.unix(payload.getExpires()).toDate(),
             maxAge: payload.getExpires(),
             path: '/api/auth/refresh-token',
-            httpOnly: true
+            secure: MainConfig.getInstance().getConfig().setCookieSecure,
+            httpOnly: true,
+            sameSite: MainConfig.getInstance().getConfig().setCookieSameSite
         });
 
     void await responder.send(payload, ctx, StatusCode.HTTP_CREATED, new AuthTransformer());
@@ -92,7 +95,9 @@ AuthHandler.post('/refresh-token', RefreshTokenMiddleware, async(ctx: Koa.Parame
             expires: moment.unix(payload.getExpires()).toDate(),
             maxAge: payload.getExpires(),
             path: '/api/auth/refresh-token',
-            httpOnly: true
+            secure: MainConfig.getInstance().getConfig().setCookieSecure,
+            httpOnly: true,
+            sameSite: MainConfig.getInstance().getConfig().setCookieSameSite
         });
 
     void await responder.send(payload, ctx, StatusCode.HTTP_OK, new AuthTransformer());

diff --git a/src/Config/mainConfig.ts b/src/Config/mainConfig.ts
@@ -103,6 +103,8 @@ type ApiWhiteType = {
 type ConfigType = {
     env: string;
     nodePath: string;
+    setCookieSecure: boolean;
+    setCookieSameSite: boolean | 'none' | 'lax' | 'strict';
     serverPort: number;
     auth: {
         authorization: boolean;

diff --git a/src/Config/validateEnv.ts b/src/Config/validateEnv.ts
@@ -30,6 +30,8 @@ export function validateEnv()
         JWT_EXPIRES: num(),
         JWT_ISS: str(),
         JWT_AUD: str(),
+        SET_COOKIE_SECURE: bool(),
+        SET_COOKIE_SAME_SITE: str(),
 
         SMTP_HOST: str(),
         SMTP_PORT: num(),