From 76c63d3a9475d5ea932dc041067705968901a5bf Mon Sep 17 00:00:00 2001
From: knotteye <knotteye@airmail.cc>
Date: Thu, 5 Dec 2019 16:08:50 -0600
Subject: [PATCH] Set sameSite on Authorization cookie Enable toggleable HSTS

---
 config/default.toml         |  2 +-
 install/template.local.toml |  4 ++++
 src/controller.ts           |  2 +-
 src/http.ts                 | 17 ++++++++++++-----
 4 files changed, 18 insertions(+), 7 deletions(-)

diff --git a/config/default.toml b/config/default.toml
index 3ff79ca..21b7055 100644
--- a/config/default.toml
+++ b/config/default.toml
@@ -42,7 +42,7 @@ ping = 30
 ping_timeout = 60
 
 [server.http]
-allow_origin = '*'
+hsts = false
 directory = './site'
 port = 8000
 
diff --git a/install/template.local.toml b/install/template.local.toml
index 92d6d27..bb32b64 100644
--- a/install/template.local.toml
+++ b/install/template.local.toml
@@ -8,6 +8,10 @@ registration = false
 record = false
 ffmpeg = '<ffmpeg>'
 
+[server.http]
+# uncomment to set HSTS when SSL is enabled
+# hsts = true
+
 [database]
 user = '<dbuser>'
 password = '<dbpass>'
diff --git a/src/controller.ts b/src/controller.ts
index 2b3aec2..c87f0c9 100644
--- a/src/controller.ts
+++ b/src/controller.ts
@@ -59,7 +59,7 @@ async function run() {
 	db.init(dbcfg, bcryptcfg);
 	await cleanup.init();
 	api.init(satyr);
-	http.init(satyr, config.server.http.port, config.ircd);
+	http.init(satyr, config.server.http, config.ircd);
 	mediaserver.init(nms, satyr);
 	console.log(`Satyr v${process.env.npm_package_version} ready`);
 }
diff --git a/src/http.ts b/src/http.ts
index f20cd44..a88c569 100644
--- a/src/http.ts
+++ b/src/http.ts
@@ -29,7 +29,7 @@ try{
 }
 var njkconf;
 
-async function init(satyr: any, port: number, ircconf: any){
+async function init(satyr: any, http: object, ircconf: any){
 	njk.configure('templates', {
 		autoescape	: true,
 		express   	: app,
@@ -45,6 +45,13 @@ async function init(satyr: any, port: number, ircconf: any){
 	app.use(cookies());
 	app.use(bodyparser.json());
 	app.use(bodyparser.urlencoded({ extended: true }));
+	if(http['hsts']){
+		app.use((req, res, next) => {
+			res.append('Strict-Transport-Security', 'max-age=5184000');
+			next();
+		});
+	}
+	app.disable('x-powered-by');
 	//site handlers
 	await initSite(satyr.registration);
 	//api handlers
@@ -60,7 +67,7 @@ async function init(satyr: any, port: number, ircconf: any){
 		//res.status(404).render('404.njk', njkconf);
 	});
 	await initChat(ircconf);
-	server.listen(port);
+	server.listen(http['port']);
 }
 
 async function newNick(socket, skip?: boolean) {
@@ -137,7 +144,7 @@ async function initAPI() {
 	app.post('/api/register', (req, res) => {
 		api.register(req.body.username, req.body.password, req.body.confirm).then( (result) => {
 			if(result[0]) return genToken(req.body.username).then((t) => {
-				res.cookie('Authorization', t);
+				res.cookie('Authorization', t, {maxAge: 604800000, httpOnly: true, sameSite: 'Lax'});
 				res.send(result);
 				return;
 			});
@@ -196,7 +203,7 @@ async function initAPI() {
 			if(t) {
 				if(t['exp'] - 86400 < Math.floor(Date.now() / 1000)){
 					return genToken(t['username']).then((t) => {
-						res.cookie('Authorization', t, {maxAge: 604800000, httpOnly: true});
+						res.cookie('Authorization', t, {maxAge: 604800000, httpOnly: true, sameSite: 'Lax'});
 						res.send('{"success":""}');
 						return;
 					});
@@ -215,7 +222,7 @@ async function initAPI() {
 			api.login(req.body.username, req.body.password).then((result) => {
 				if(!result){
 					genToken(req.body.username).then((t) => {
-						res.cookie('Authorization', t, {maxAge: 604800000, httpOnly: true});
+						res.cookie('Authorization', t, {maxAge: 604800000, httpOnly: true, sameSite: 'Lax'});
 						res.send('{"success":""}');
 					})
 				}