fix: add cookie secure flag when site is using https

Author: NGPixel

server/controllers/auth.js

@@ -4,8 +4,8 @@ const express = require('express')
 const ExpressBrute = require('express-brute')
 const BruteKnex = require('../helpers/brute-knex')
 const router = express.Router()
-const moment = require('moment')
 const _ = require('lodash')
+const commonHelper = require('../helpers/common')
 
 const bruteforce = new ExpressBrute(new BruteKnex({
   createTable: true,
@@ -70,7 +70,7 @@ router.all('/login/:strategy/callback', async (req, res, next) => {
     const authResult = await WIKI.models.users.login({
       strategy: req.params.strategy
     }, { req, res })
-    res.cookie('jwt', authResult.jwt, { expires: moment().add(1, 'y').toDate() })
+    res.cookie('jwt', authResult.jwt, commonHelper.getCookieOpts())
 
     const loginRedirect = req.cookies['loginRedirect']
     if (loginRedirect === '/' && authResult.redirect) {
@@ -102,7 +102,7 @@ router.post('/login', bruteforce.prevent, async (req, res, next) => {
         password: req.body.pass
       }, { req, res })
       req.brute.reset()
-      res.cookie('jwt', authResult.jwt, { expires: moment().add(1, 'y').toDate() })
+      res.cookie('jwt', authResult.jwt, commonHelper.getCookieOpts())
       res.redirect('/')
     } catch (err) {
       const { formStrategies, socialStrategies } = await WIKI.models.authentication.getStrategiesForLegacyClient()
@@ -152,7 +152,7 @@ router.get('/verify/:token', bruteforce.prevent, async (req, res, next) => {
       res.redirect('/login')
     } else {
       const result = await WIKI.models.users.refreshToken(usr)
-      res.cookie('jwt', result.token, { expires: moment().add(1, 'years').toDate() })
+      res.cookie('jwt', result.token, commonHelper.getCookieOpts())
       res.redirect('/')
     }
   } catch (err) {

server/core/auth.js

@@ -8,6 +8,7 @@ const crypto = require('crypto')
 const pem2jwk = require('pem-jwk').pem2jwk
 const randomBytesAsync = require('util').promisify(crypto.randomBytes)
 
+const commonHelper = require('../helpers/common')
 const securityHelper = require('../helpers/security')
 
 /* global WIKI */
@@ -154,7 +155,7 @@ module.exports = {
           if (req.get('content-type') === 'application/json') {
             res.set('new-jwt', newToken.token)
           } else {
-            res.cookie('jwt', newToken.token, { expires: DateTime.utc().plus({ days: 365 }).toJSDate() })
+            res.cookie('jwt', newToken.token, commonHelper.getCookieOpts())
           }
 
           // Avoid caching this response

server/helpers/common.js

@@ -1,4 +1,7 @@
+/* global WIKI */
+
 const _ = require('lodash')
+const { DateTime } = require('luxon')
 
 module.exports = {
   /**
@@ -38,5 +41,11 @@ module.exports = {
       })
       return result
     }, {})
+  },
+  getCookieOpts () {
+    return {
+      expires: DateTime.utc().plus({ days: 365 }).toJSDate(),
+      ...(WIKI.config.host.startsWith('https://') ? { secure: true } : {})
+    }
   }
 }

server/models/users.js

@@ -502,7 +502,7 @@ module.exports = class User extends Model {
       if (!usr.isActive) {
         throw new WIKI.Error.AuthAccountBanned()
       }
-      
+
       await WIKI.models.users.query().patch({
         password: newPassword,
         mustChangePwd: false