From 3da302e35f179a107c75fb87e35f63599ae23f0b Mon Sep 17 00:00:00 2001 From: Evert Prants Date: Sun, 11 Sep 2022 12:31:09 +0300 Subject: [PATCH] secure cookies --- pages/api/[...path].ts | 7 ++++++- pages/api/callback.ts | 8 +++++--- pages/api/login.ts | 6 ++++-- pages/api/logout.ts | 5 ++++- 4 files changed, 19 insertions(+), 7 deletions(-) diff --git a/pages/api/[...path].ts b/pages/api/[...path].ts index 2fe5dbe..e505aab 100644 --- a/pages/api/[...path].ts +++ b/pages/api/[...path].ts @@ -4,12 +4,17 @@ import Cookies from 'cookies'; import { NextApiRequest, NextApiResponse } from 'next'; import { COOKIE_KEYS } from '../../lib/constants'; +const inProd = process.env.NODE_ENV === 'production'; + const handler = (req: NextApiRequest, res: NextApiResponse) => { return new Promise((resolve, reject) => { // removes the api prefix from url // req.url = req.url!.replace(/^\/api/, ''); - const cookies = new Cookies(req, res, { keys: COOKIE_KEYS }); + const cookies = new Cookies(req, res, { + keys: COOKIE_KEYS, + secure: inProd, + }); const authorization = cookies.get('authorization', { signed: true }); // don't forwards the cookies to the target server diff --git a/pages/api/callback.ts b/pages/api/callback.ts index 4c3eb45..22494b5 100644 --- a/pages/api/callback.ts +++ b/pages/api/callback.ts @@ -5,6 +5,8 @@ import Cookies from 'cookies'; import { COOKIE_KEYS, REDIRECT_URL } from '../../lib/constants'; import { decrypt } from '../../lib/utils/crypto'; +const inProd = process.env.NODE_ENV === 'production'; + export default async function handler( req: NextApiRequest, res: NextApiResponse @@ -14,7 +16,7 @@ export default async function handler( } const getAuth = await getAccessToken(req.query.code as string); - const cookies = new Cookies(req, res, { keys: COOKIE_KEYS }); + const cookies = new Cookies(req, res, { keys: COOKIE_KEYS, secure: inProd }); if (getAuth) { const decrypted = decrypt(req.query.state as string); @@ -30,14 +32,14 @@ export default async function handler( cookies.set('authorization', getAuth.access_token, { expires: new Date(Date.now() + getAuth.expires_in * 1000), - secure: process.env.NODE_ENV === 'production', + secure: inProd, sameSite: 'strict', signed: true, }); cookies.set('validation', undefined, { expires: new Date(0), - secure: process.env.NODE_ENV === 'production', + secure: inProd, sameSite: 'strict', signed: true, }); diff --git a/pages/api/login.ts b/pages/api/login.ts index 2971a62..5ce8345 100644 --- a/pages/api/login.ts +++ b/pages/api/login.ts @@ -8,6 +8,8 @@ import { } from '../../lib/constants'; import { encrypt, generateString } from '../../lib/utils/crypto'; +const inProd = process.env.NODE_ENV === 'production'; + export default function handler(req: NextApiRequest, res: NextApiResponse) { const stateToken = generateString(16); const state = encrypt( @@ -25,10 +27,10 @@ export default function handler(req: NextApiRequest, res: NextApiResponse) { state, }); - const cookies = new Cookies(req, res, { keys: COOKIE_KEYS }); + const cookies = new Cookies(req, res, { keys: COOKIE_KEYS, secure: inProd }); cookies.set('validation', stateToken, { - secure: process.env.NODE_ENV === 'production', + secure: inProd, signed: true, }); diff --git a/pages/api/logout.ts b/pages/api/logout.ts index dffdd5d..783b983 100644 --- a/pages/api/logout.ts +++ b/pages/api/logout.ts @@ -3,14 +3,17 @@ import { NextApiRequest, NextApiResponse } from 'next'; import Cookies from 'cookies'; import { COOKIE_KEYS } from '../../lib/constants'; +const inProd = process.env.NODE_ENV === 'production'; + export default async function handler( req: NextApiRequest, res: NextApiResponse ) { - const cookies = new Cookies(req, res, { keys: COOKIE_KEYS }); + const cookies = new Cookies(req, res, { keys: COOKIE_KEYS, secure: inProd }); cookies.set('authorization', undefined, { expires: new Date(0), signed: true, + secure: inProd, }); res.redirect('/'); }