Set sameSite on Authorization cookie

Enable toggleable HSTS
4 years ago · 76c63d3a94
parent 8c17149f39
commit 76c63d3a94
4 changed files with 18 additions and 7 deletions
--- a/config/default.toml
+++ b/config/default.toml
@ -42,7 +42,7 @@ ping = 30
 ping_timeout = 60

 [server.http]
-allow_origin = '*'
+hsts = false
 directory = './site'
 port = 8000

--- a/install/template.local.toml
+++ b/install/template.local.toml
@ -8,6 +8,10 @@ registration = false
 record = false
 ffmpeg = '<ffmpeg>'

+[server.http]
+# uncomment to set HSTS when SSL is enabled
+# hsts = true
+
 [database]
 user = '<dbuser>'
 password = '<dbpass>'
--- a/src/controller.ts
+++ b/src/controller.ts
@ -59,7 +59,7 @@ async function run() {
 	db.init(dbcfg, bcryptcfg);
 	await cleanup.init();
 	api.init(satyr);
-	http.init(satyr, config.server.http.port, config.ircd);
+	http.init(satyr, config.server.http, config.ircd);
 	mediaserver.init(nms, satyr);
 	console.log(`Satyr v${process.env.npm_package_version} ready`);
 }
--- a/src/http.ts
+++ b/src/http.ts
@ -29,7 +29,7 @@ try{
 }
 var njkconf;

-async function init(satyr: any, port: number, ircconf: any){
+async function init(satyr: any, http: object, ircconf: any){
 	njk.configure('templates', {
 		autoescape	: true,
 		express   	: app,
@ -45,6 +45,13 @@ async function init(satyr: any, port: number, ircconf: any){
 	app.use(cookies());
 	app.use(bodyparser.json());
 	app.use(bodyparser.urlencoded({ extended: true }));
+	if(http['hsts']){
+		app.use((req, res, next) => {
+			res.append('Strict-Transport-Security', 'max-age=5184000');
+			next();
+		});
+	}
+	app.disable('x-powered-by');
 	//site handlers
 	await initSite(satyr.registration);
 	//api handlers
@ -60,7 +67,7 @@ async function init(satyr: any, port: number, ircconf: any){
 		//res.status(404).render('404.njk', njkconf);
 	});
 	await initChat(ircconf);
-	server.listen(port);
+	server.listen(http['port']);
 }

 async function newNick(socket, skip?: boolean) {
@ -137,7 +144,7 @@ async function initAPI() {
 	app.post('/api/register', (req, res) => {
 		api.register(req.body.username, req.body.password, req.body.confirm).then( (result) => {
 			if(result[0]) return genToken(req.body.username).then((t) => {
-				res.cookie('Authorization', t);
+				res.cookie('Authorization', t, {maxAge: 604800000, httpOnly: true, sameSite: 'Lax'});
 				res.send(result);
 				return;
 			});
@ -196,7 +203,7 @@ async function initAPI() {
 			if(t) {
 				if(t['exp'] - 86400 < Math.floor(Date.now() / 1000)){
 					return genToken(t['username']).then((t) => {
-						res.cookie('Authorization', t, {maxAge: 604800000, httpOnly: true});
+						res.cookie('Authorization', t, {maxAge: 604800000, httpOnly: true, sameSite: 'Lax'});
 						res.send('{"success":""}');
 						return;
 					});
@ -215,7 +222,7 @@ async function initAPI() {
 			api.login(req.body.username, req.body.password).then((result) => {
 				if(!result){
 					genToken(req.body.username).then((t) => {
-						res.cookie('Authorization', t, {maxAge: 604800000, httpOnly: true});
+						res.cookie('Authorization', t, {maxAge: 604800000, httpOnly: true, sameSite: 'Lax'});
 						res.send('{"success":""}');
 					})
 				}