Improve cookie security using __Host- if possible

labd · Feb 10, 2024 · 280da10 · 280da10
1 parent 910e642
commit 280da10
Show file tree

Hide file tree

Showing 7 changed files with 1,983 additions and 3,925 deletions.
diff --git a/.changeset/violet-sheep-invite.md b/.changeset/violet-sheep-invite.md
@@ -0,0 +1,5 @@
+---
+"@labdigital/federated-token": minor
+---
+
+Improve cookie security settings by using \_\_Host- where needed
diff --git a/.prettierignore b/.prettierignore
@@ -0,0 +1,6 @@
+pnpm-lock.yaml
+
+node_modules/*
+coverage/*
+dist/*
+test-reports/*
diff --git a/README.md b/README.md
@@ -43,3 +43,5 @@ implemented via 4 cookies:
 - `refreshToken` - The refresh token, if any. It is stored as HTTP_ONLY cookie.
 - `refreshTokenExists` - A boolean value that indicates if a refresh token
   exists for the user. It is used to determine if the user is new or not.
+
+Note that this expects the "cookie-parser" express middleware to be used.
diff --git a/package.json b/package.json
@@ -37,14 +37,18 @@
 		"lodash.isequal": "^4.5.0"
 	},
 	"devDependencies": {
+		"@apollo/server": "^4.10.0",
+		"@apollo/gateway": ">= 2.4",
 		"@apollo/server-gateway-interface": "1.1.0",
 		"@changesets/cli": "^2.26.2",
 		"@sentry/types": "7.55.0",
+		"@types/cookie": "^0.6.0",
 		"@types/cookie-parser": "^1.4.3",
 		"@types/express": "^4.17.17",
 		"@types/lodash.isequal": "^4.5.6",
 		"@typescript-eslint/eslint-plugin": "^5.60.1",
 		"@vitest/coverage-v8": "0.32.2",
+		"cookie": "^0.6.0",
 		"eslint": "^8.40.0",
 		"eslint-plugin-unused-imports": "^2.0.0",
 		"node-mocks-http": "^1.12.2",