Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-10-26 16:46:12 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: make _csrf a secure cookie if the website is using https (#8045)

Browse Source 
* Make _csrf a secure cookie if the website is using https

* fix style for TravsCI

* Add `url_parsed` to databasemock
This commit is contained in:
Opliko
2019-11-18 19:07:05 +01:00
committed by Julian Lam
parent b3511f71e0
commit 0efe27b1f2
2 changed files with 6 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/middleware/index.js
View File

@@ -32,7 +32,11 @@ middleware.regexes = {
}; };
middleware.applyCSRF = csrf({ middleware.applyCSRF = csrf({
cookie: true, cookie: nconf.get('url_parsed').protocol === 'https:' ? {
secure: true,
sameSite: 'Strict',
httpOnly: true,
} : true,
}); });
middleware.ensureLoggedIn = ensureLoggedIn.ensureLoggedIn(nconf.get('relative_path') + '/login'); middleware.ensureLoggedIn = ensureLoggedIn.ensureLoggedIn(nconf.get('relative_path') + '/login');

1
test/mocks/databasemock.js
View File

@@ -119,6 +119,7 @@ before(async function () {
// Parse out the relative_url and other goodies from the configured URL // Parse out the relative_url and other goodies from the configured URL
const urlObject = url.parse(nconf.get('url')); const urlObject = url.parse(nconf.get('url'));
const relativePath = urlObject.pathname !== '/' ? urlObject.pathname : ''; const relativePath = urlObject.pathname !== '/' ? urlObject.pathname : '';
nconf.set('url_parsed', urlObject);
nconf.set('base_url', urlObject.protocol + '//' + urlObject.host); nconf.set('base_url', urlObject.protocol + '//' + urlObject.host);
nconf.set('secure', urlObject.protocol === 'https:'); nconf.set('secure', urlObject.protocol === 'https:');
nconf.set('use_port', !!urlObject.port); nconf.set('use_port', !!urlObject.port);