fix: Add samesite setting for XSRF (#257)

* Add samesite setting for XSRF * Update package version number for cookie samesite release --------- Co-authored-by: Andy Wilkins <49269487+andywilkinshmcts@users.noreply.github.com>
hmcts · Dec 18, 2024 · 6ee0223 · 6ee0223
1 parent 57c9c9e
commit 6ee0223
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 3 deletions.
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@hmcts/rpx-xui-node-lib",
-  "version": "2.29.6",
+  "version": "2.29.7",
   "description": "Common nodejs library components for XUI",
   "main": "dist/index",
   "types": "dist/index.d.ts",

diff --git a/src/auth/models/strategy.class.ts b/src/auth/models/strategy.class.ts
@@ -1,5 +1,5 @@
 import * as events from 'events'
-import { NextFunction, Request, RequestHandler, Response, Router } from 'express'
+import { CookieOptions, NextFunction, Request, RequestHandler, Response, Router } from 'express'
 import passport from 'passport'
 import { AUTH } from '../auth.constants'
 import jwtDecode from 'jwt-decode'
@@ -450,9 +450,14 @@ export abstract class Strategy extends events.EventEmitter {
             const csrfProtection = csrf({
                 value: this.getCSRFValue,
             })
+            // cookie options added via EXUI-986, fortify issues
+            const cookieOptions: CookieOptions = {
+                sameSite: 'none',
+                secure: true,
+            }
             /* istanbul ignore next */
             this.router.use(csrfProtection, (req, res, next) => {
-                res.cookie('XSRF-TOKEN', req.csrfToken())
+                res.cookie('XSRF-TOKEN', req.csrfToken(), cookieOptions)
                 next()
             })
         }