Merge pull request #129 from kinde-oss/fix/cookie-security

fix: Cookie settings and code clean
kinde-oss · Feb 22, 2024 · 998ab75 · 998ab75
2 parents a0a36ea + 5f6ef62
commit 998ab75
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 43 deletions.
diff --git a/src/session/sessionManager.js b/src/session/sessionManager.js
@@ -4,6 +4,23 @@ import {config} from '../config/index';
 
 var cookie = require('cookie');
 
+export const GLOBAL_COOKIE_OPTIONS = {
+  sameSite: 'lax',
+  httpOnly: true,
+  secure: process.env.NODE_ENV === 'production',
+  path: '/',
+}
+
+const COOKIE_LIST = [
+  'id_token_payload',
+  'id_token',
+  'access_token_payload',
+  'access_token',
+  'user',
+  'refresh_token',
+  'post_login_redirect_url'
+]
+
 /**
  *
  * @param {import('next').NextApiRequest} [req]
@@ -54,7 +71,10 @@ export const appRouterSessionManager = (cookieStore) => ({
       cookieStore.set(
         itemKey,
         typeof itemValue === 'object' ? JSON.stringify(itemValue) : itemValue,
-        {domain: config.cookieDomain ? config.cookieDomain : undefined}
+        {
+          domain: config.cookieDomain ? config.cookieDomain : undefined,
+          ...GLOBAL_COOKIE_OPTIONS
+        }
       );
     }
   },
@@ -66,25 +86,19 @@ export const appRouterSessionManager = (cookieStore) => ({
   removeSessionItem: (itemKey) => {
     cookieStore.set(itemKey, '', {
       domain: config.cookieDomain ? config.cookieDomain : undefined,
-      maxAge: 0
+      maxAge: 0,
+      ...GLOBAL_COOKIE_OPTIONS
     });
   },
   /**
    * @returns {Promise<void>}
    */
   destroySession: () => {
-    [
-      'id_token_payload',
-      'id_token',
-      'access_token_payload',
-      'access_token',
-      'user',
-      'refresh_token',
-      'post_login_redirect_url'
-    ].forEach((name) =>
+    COOKIE_LIST.forEach((name) =>
       cookieStore.set(name, '', {
         domain: config.cookieDomain ? config.cookieDomain : undefined,
-        maxAge: 0
+        maxAge: 0,
+        ...GLOBAL_COOKIE_OPTIONS
       })
     );
   }
@@ -137,7 +151,7 @@ export const pageRouterSessionManager = (req, res) => {
           typeof itemValue === 'object' ? JSON.stringify(itemValue) : itemValue,
           {
             domain: config.cookieDomain ? config.cookieDomain : undefined,
-            path: '/'
+            ...GLOBAL_COOKIE_OPTIONS
           }
         )
       ]);
@@ -151,52 +165,37 @@ export const pageRouterSessionManager = (req, res) => {
       res?.setHeader('Set-Cookie', [
         cookie.serialize(itemKey, '', {
           domain: config.cookieDomain ? config.cookieDomain : undefined,
-          path: '/',
-          maxAge: -1
+          maxAge: -1,
+          ...GLOBAL_COOKIE_OPTIONS
         })
       ]);
 
       // remove cookies from the root domain
       res?.setHeader('Set-Cookie', [
         cookie.serialize(itemKey, '', {
           path: '/',
-          maxAge: -1
+          maxAge: -1,
+          ...GLOBAL_COOKIE_OPTIONS
         })
       ]);
     },
     destroySession: () => {
       res?.setHeader('Set-Cookie', [
-        ...[
-          'id_token_payload',
-          'id_token',
-          'access_token_payload',
-          'access_token',
-          'user',
-          'refresh_token',
-          'post_login_redirect_url'
-        ].map((name) =>
+        ...COOKIE_LIST.map((name) =>
           cookie.serialize(name, '', {
             domain: config.cookieDomain ? config.cookieDomain : undefined,
-            path: '/',
-            maxAge: -1
+            maxAge: -1,
+            ...GLOBAL_COOKIE_OPTIONS
           })
         )
       ]);
 
       // remove cookies from the root domain
       res?.setHeader('Set-Cookie', [
-        ...[
-          'id_token_payload',
-          'id_token',
-          'access_token_payload',
-          'access_token',
-          'user',
-          'refresh_token',
-          'post_login_redirect_url'
-        ].map((name) =>
+        ...COOKIE_LIST.map((name) =>
           cookie.serialize(name, '', {
-            path: '/',
-            maxAge: -1
+            maxAge: -1,
+            ...GLOBAL_COOKIE_OPTIONS
           })
         )
       ]);

diff --git a/src/utils/appRouter/setVerifierCookie.js b/src/utils/appRouter/setVerifierCookie.js
@@ -1,12 +1,12 @@
 import {config} from '../../config/index';
 import {cookies} from 'next/headers';
+import { GLOBAL_COOKIE_OPTIONS } from '../../session/sessionManager';
 
 export const setVerifierCookie = (state, code_verifier, options) => {
   cookies().set({
     name: `${config.SESSION_PREFIX}-${state}`,
     value: JSON.stringify({code_verifier, options}),
-    httpOnly: true,
-    path: '/',
-    maxAge: 60 * 15
+    maxAge: 60 * 15,
+    ...GLOBAL_COOKIE_OPTIONS
   });
 };
diff --git a/src/utils/pageRouter/setVerifierCookie.js b/src/utils/pageRouter/setVerifierCookie.js
@@ -1,4 +1,6 @@
 import {config} from '../../config/index';
+import { GLOBAL_COOKIE_OPTIONS } from '../../session/sessionManager';
+
 const cookie = require('cookie');
 
 export const setVerifierCookie = (state, code_verifier, res, options) => {
@@ -10,8 +12,8 @@ export const setVerifierCookie = (state, code_verifier, res, options) => {
   res.setHeader(
     'Set-Cookie',
     cookie.serialize(`${config.SESSION_PREFIX}-${state}`, jsonCookieValue, {
-      httpOnly: true,
-      maxAge: 60 * 15
+      maxAge: 60 * 15,
+      ...GLOBAL_COOKIE_OPTIONS
     })
   );
   return state;