Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

adding 'auto' to secure attribute #86

Merged
merged 5 commits into from
Dec 20, 2019
Merged

adding 'auto' to secure attribute #86

merged 5 commits into from
Dec 20, 2019

Conversation

zekth
Copy link
Contributor

@zekth zekth commented Dec 12, 2019
edited
Loading

Fix #84
secureAuto will set the Secure flag regarding the protocol used for the request. I'd prefer to add another attribute to not arm the current behaviour.

@zekth zekth changed the title adding forceSecure attribute Do not merge : adding forceSecure attribute Dec 12, 2019
@zekth zekth changed the title Do not merge : adding forceSecure attribute adding secureAuto attribute Dec 12, 2019
@williamzhao87
Copy link

williamzhao87 commented Dec 13, 2019
edited
Loading

Suggestion:
Could we implement the secureAuto flag with the same logic as express-session so the two middlewares are more consistent? So the ‘secure’ flag could take ‘true’, ‘false’ or ‘auto’.

See https://github.com/expressjs/session

The cookie.secure option can also be set to the special value 'auto' to have this setting automatically match the determined security of the connection. Be careful when using this setting if the site is available both as HTTP and HTTPS, as once the cookie is set on HTTPS, it will no longer be visible over HTTP. This is useful when the Express "trust proxy" setting is properly setup to simplify development vs production configuration.

SerayaEryn
SerayaEryn approved these changes Dec 14, 2019
View reviewed changes
Copy link
Owner

@SerayaEryn SerayaEryn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@SerayaEryn
Copy link
Owner

Suggestion:
Could we implement the secureAuto flag with the same logic as express-session so the two middlewares are more consistent? So the ‘secure’ flag could take ‘true’, ‘false’ or ‘auto’.

See https://github.com/expressjs/session

The cookie.secure option can also be set to the special value 'auto' to have this setting automatically match the determined security of the connection. Be careful when using this setting if the site is available both as HTTP and HTTPS, as once the cookie is set on HTTPS, it will no longer be visible over HTTP. This is useful when the Express "trust proxy" setting is properly setup to simplify development vs production configuration.

I think this is a good idea.

@zekth What do you think?

@zekth
Copy link
Contributor Author

zekth commented Dec 14, 2019

Suggestion:
Could we implement the secureAuto flag with the same logic as express-session so the two middlewares are more consistent? So the ‘secure’ flag could take ‘true’, ‘false’ or ‘auto’.
See https://github.com/expressjs/session
The cookie.secure option can also be set to the special value 'auto' to have this setting automatically match the determined security of the connection. Be careful when using this setting if the site is available both as HTTP and HTTPS, as once the cookie is set on HTTPS, it will no longer be visible over HTTP. This is useful when the Express "trust proxy" setting is properly setup to simplify development vs production configuration.

I think this is a good idea.

@zekth What do you think?

I agree. I will change to it. This just add polymorphism that's why i added another attribute but as long as you're ok with it i'll do it.

@zekth zekth changed the title adding secureAuto attribute adding 'auto' to secure attribute Dec 15, 2019
@zekth
Copy link
Contributor Author

zekth commented Dec 15, 2019
edited
Loading

ready for review @SerayaEryn . I'm not sure about the Documentation. Maybe @williamzhao87 can review it as you're english native speaking.

@williamzhao87
Copy link

williamzhao87 commented Dec 16, 2019
edited
Loading

Documentation looks fine to me. Thanks for the update!

williamzhao87
williamzhao87 suggested changes Dec 16, 2019
View reviewed changes
lib/fastifySession.js Outdated
@@ -89,7 +89,7 @@ function onSend (options) {
reply.setCookie(
options.cookieName,
session.encryptedSessionId,
session.cookie.options()
session.cookie.options(getRequestProto(request))
Copy link

@williamzhao87 williamzhao87 Dec 16, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should also do some other checks besides just the X-Forwarded-Proto header, if possible:
See the issecure function in express-session:
https://github.com/expressjs/session/blob/b22384b712fea118f1c3eb5b0d79312ebd25e97c/index.js#L612

We may also want a way to check a custom header in the case that X-Forwarded-Proto header is overwritten by some ELBs such as AWS ALB)

Can we add another option?
cookie.secureAutoHeader

e.g. If cookie.secureAutoHeader = X-Forwarded-Scheme, instead of checking X-Forwarded-Proto header, we will check the header X-Forwarded-Scheme instead to determine the value for secure when set to auto

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adding secureAutoHeader is too custom here. A solution for that would be to add a function for the auto behavior but it's out of scope here IMO

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay that's fine, thanks

@zekth
Copy link
Contributor Author

zekth commented Dec 17, 2019

@SerayaEryn I've fixed a case regarding secure : auto and encrypted connection without header. Now it's shippable to me.

@williamzhao87
Copy link

Should we update the possibility of string type in types/types.d.ts?
interface CookieOptions {
...
secure?: boolean | string;

@zekth
Copy link
Contributor Author

zekth commented Dec 17, 2019

Should we update the possibility of string type in types/types.d.ts?
interface CookieOptions {
...
secure?: boolean | string;

Nice catch tho.

@SerayaEryn SerayaEryn merged commit b3794fe into SerayaEryn:master Dec 20, 2019
@SerayaEryn
Copy link
Owner

Thanks for your contribution.

@zekth zekth deleted the add_secure_http branch December 20, 2019 13:58
@zekth zekth mentioned this pull request Dec 26, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@williamzhao87 williamzhao87 williamzhao87 requested changes

@SerayaEryn SerayaEryn SerayaEryn approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Secure or nonsecure cookie depending on request type
3 participants
@zekth @williamzhao87 @SerayaEryn