Set sameSite on Authorization cookie

Enable toggleable HSTS
merge-requests/6/head
knotteye 2019-12-05 16:08:50 -06:00
parent 8c17149f39
commit 76c63d3a94
4 changed files with 18 additions and 7 deletions

View File

@ -42,7 +42,7 @@ ping = 30
ping_timeout = 60 ping_timeout = 60
[server.http] [server.http]
allow_origin = '*' hsts = false
directory = './site' directory = './site'
port = 8000 port = 8000

View File

@ -8,6 +8,10 @@ registration = false
record = false record = false
ffmpeg = '<ffmpeg>' ffmpeg = '<ffmpeg>'
[server.http]
# uncomment to set HSTS when SSL is enabled
# hsts = true
[database] [database]
user = '<dbuser>' user = '<dbuser>'
password = '<dbpass>' password = '<dbpass>'

View File

@ -59,7 +59,7 @@ async function run() {
db.init(dbcfg, bcryptcfg); db.init(dbcfg, bcryptcfg);
await cleanup.init(); await cleanup.init();
api.init(satyr); api.init(satyr);
http.init(satyr, config.server.http.port, config.ircd); http.init(satyr, config.server.http, config.ircd);
mediaserver.init(nms, satyr); mediaserver.init(nms, satyr);
console.log(`Satyr v${process.env.npm_package_version} ready`); console.log(`Satyr v${process.env.npm_package_version} ready`);
} }

View File

@ -29,7 +29,7 @@ try{
} }
var njkconf; var njkconf;
async function init(satyr: any, port: number, ircconf: any){ async function init(satyr: any, http: object, ircconf: any){
njk.configure('templates', { njk.configure('templates', {
autoescape : true, autoescape : true,
express : app, express : app,
@ -45,6 +45,13 @@ async function init(satyr: any, port: number, ircconf: any){
app.use(cookies()); app.use(cookies());
app.use(bodyparser.json()); app.use(bodyparser.json());
app.use(bodyparser.urlencoded({ extended: true })); app.use(bodyparser.urlencoded({ extended: true }));
if(http['hsts']){
app.use((req, res, next) => {
res.append('Strict-Transport-Security', 'max-age=5184000');
next();
});
}
app.disable('x-powered-by');
//site handlers //site handlers
await initSite(satyr.registration); await initSite(satyr.registration);
//api handlers //api handlers
@ -60,7 +67,7 @@ async function init(satyr: any, port: number, ircconf: any){
//res.status(404).render('404.njk', njkconf); //res.status(404).render('404.njk', njkconf);
}); });
await initChat(ircconf); await initChat(ircconf);
server.listen(port); server.listen(http['port']);
} }
async function newNick(socket, skip?: boolean) { async function newNick(socket, skip?: boolean) {
@ -137,7 +144,7 @@ async function initAPI() {
app.post('/api/register', (req, res) => { app.post('/api/register', (req, res) => {
api.register(req.body.username, req.body.password, req.body.confirm).then( (result) => { api.register(req.body.username, req.body.password, req.body.confirm).then( (result) => {
if(result[0]) return genToken(req.body.username).then((t) => { if(result[0]) return genToken(req.body.username).then((t) => {
res.cookie('Authorization', t); res.cookie('Authorization', t, {maxAge: 604800000, httpOnly: true, sameSite: 'Lax'});
res.send(result); res.send(result);
return; return;
}); });
@ -196,7 +203,7 @@ async function initAPI() {
if(t) { if(t) {
if(t['exp'] - 86400 < Math.floor(Date.now() / 1000)){ if(t['exp'] - 86400 < Math.floor(Date.now() / 1000)){
return genToken(t['username']).then((t) => { return genToken(t['username']).then((t) => {
res.cookie('Authorization', t, {maxAge: 604800000, httpOnly: true}); res.cookie('Authorization', t, {maxAge: 604800000, httpOnly: true, sameSite: 'Lax'});
res.send('{"success":""}'); res.send('{"success":""}');
return; return;
}); });
@ -215,7 +222,7 @@ async function initAPI() {
api.login(req.body.username, req.body.password).then((result) => { api.login(req.body.username, req.body.password).then((result) => {
if(!result){ if(!result){
genToken(req.body.username).then((t) => { genToken(req.body.username).then((t) => {
res.cookie('Authorization', t, {maxAge: 604800000, httpOnly: true}); res.cookie('Authorization', t, {maxAge: 604800000, httpOnly: true, sameSite: 'Lax'});
res.send('{"success":""}'); res.send('{"success":""}');
}) })
} }