feat!: support secure cookie storage for nuxt sdk (#794)

logto-io · Sep 18, 2024 · 5f4de8c · 5f4de8c
1 parent 3d072c9
commit 5f4de8c
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 10 deletions.
diff --git a/.changeset/nice-humans-fry.md b/.changeset/nice-humans-fry.md
@@ -0,0 +1,29 @@
+---
+"@logto/nuxt": major
+---
+
+add support for secure cookie storage in Nuxt SDK and improve security handling
+
+This is a breaking change that enhances security but requires manual configuration:
+
+- Introduce new `cookieSecure` configuration option to set whether Logto cookie should be secure
+- Remove automatic HTTPS detection based on Request URL and headers
+- No longer trust `x-forwarded-proto` or similar headers by default for security reasons
+
+Previously, the SDK would automatically determine whether to use secure cookies based on the Request URL and headers. This automatic detection has been removed to prevent potential security vulnerabilities, especially in environments using reverse proxies or load balancers.
+
+Now, users must explicitly configure the `cookieSecure` option based on their deployment environment. This change gives users more control and ensures that secure cookies are used only when explicitly configured.
+
+It's strongly recommended to set `cookieSecure` to `true` when using HTTPS, especially in production environments.
+
+Usage example:
+
+```ts
+// nuxt.config.ts
+export default defineNuxtConfig({
+  modules: ['@logto/nuxt'],
+  logto: {
+    cookieSecure: true, // Enable secure cookie in HTTPS environments
+  },
+});
+```
diff --git a/packages/nuxt/src/runtime/server/event-handler.ts b/packages/nuxt/src/runtime/server/event-handler.ts
@@ -15,6 +15,7 @@ export default defineEventHandler(async (event) => {
   const {
     cookieName,
     cookieEncryptionKey,
+    cookieSecure,
     fetchUserInfo,
     pathnames,
     postCallbackRedirectUri,
@@ -36,17 +37,15 @@ export default defineEventHandler(async (event) => {
   }
 
   const url = getRequestURL(event);
-  const storage = new CookieStorage(
-    {
-      cookieKey: cookieName,
-      encryptionKey: cookieEncryptionKey,
-      getCookie: (name) => getCookie(event, name),
-      setCookie: (name, value, options) => {
-        setCookie(event, name, value, options);
-      },
+  const storage = new CookieStorage({
+    cookieKey: cookieName,
+    encryptionKey: cookieEncryptionKey,
+    isSecure: cookieSecure,
+    getCookie: (name) => getCookie(event, name),
+    setCookie: (name, value, options) => {
+      setCookie(event, name, value, options);
     },
-    { headers: event.headers, url: url.href }
-  );
+  });
 
   await storage.init();
 

diff --git a/packages/nuxt/src/runtime/utils/types.ts b/packages/nuxt/src/runtime/utils/types.ts
@@ -14,6 +14,14 @@ type LogtoModuleOptions = {
    * @see {@link CookieConfig.cookieKey} for the default value.
    */
   cookieName?: string;
+  /**
+   * Whether the Logto cookie should be secure.
+   *
+   * Set this to `true` if you are using https.
+   *
+   * @see {@link CookieConfig.isSecure}
+   */
+  cookieSecure?: boolean;
   /**
    * If Logto should fetch from the [userinfo endpoint](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo)
    * in the server side for the `event.context.logtoUser` property (used by `useLogtoUser` composable).