Skip to content

Commit

Permalink
feat!: support secure cookie storage for nuxt sdk
Browse files Browse the repository at this point in the history
  • Loading branch information
xiaoyijun committed Sep 14, 2024
1 parent 3d072c9 commit a61073c
Show file tree
Hide file tree
Showing 3 changed files with 46 additions and 10 deletions.
29 changes: 29 additions & 0 deletions .changeset/nice-humans-fry.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
---
"@logto/nuxt": major
---

add support for secure cookie storage in Nuxt SDK and improve security handling

This is a breaking change that enhances security but requires manual configuration:

- Introduce new `cookieSecure` configuration option to set whether Logto cookie should be secure
- Remove automatic HTTPS detection based on Request URL and headers
- No longer trust `x-forwarded-proto` or similar headers by default for security reasons

Previously, the SDK would automatically determine whether to use secure cookies based on the Request URL and headers. This automatic detection has been removed to prevent potential security vulnerabilities, especially in environments using reverse proxies or load balancers.

Now, users must explicitly configure the `cookieSecure` option based on their deployment environment. This change gives users more control and ensures that secure cookies are used only when explicitly configured.

It's strongly recommended to set `cookieSecure` to `true` when using HTTPS, especially in production environments.

Usage example:

```ts
// nuxt.config.ts
export default defineNuxtConfig({
modules: ['@logto/nuxt'],
logto: {
cookieSecure: true, // Enable secure cookie in HTTPS environments
},
});
```
19 changes: 9 additions & 10 deletions packages/nuxt/src/runtime/server/event-handler.ts
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ export default defineEventHandler(async (event) => {
const {
cookieName,
cookieEncryptionKey,
cookieSecure,
fetchUserInfo,
pathnames,
postCallbackRedirectUri,
Expand All @@ -36,17 +37,15 @@ export default defineEventHandler(async (event) => {
}

const url = getRequestURL(event);
const storage = new CookieStorage(
{
cookieKey: cookieName,
encryptionKey: cookieEncryptionKey,
getCookie: (name) => getCookie(event, name),
setCookie: (name, value, options) => {
setCookie(event, name, value, options);
},
const storage = new CookieStorage({
cookieKey: cookieName,
encryptionKey: cookieEncryptionKey,
isSecure: cookieSecure,
getCookie: (name) => getCookie(event, name),
setCookie: (name, value, options) => {
setCookie(event, name, value, options);
},
{ headers: event.headers, url: url.href }
);
});

await storage.init();

Expand Down
8 changes: 8 additions & 0 deletions packages/nuxt/src/runtime/utils/types.ts
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,14 @@ type LogtoModuleOptions = {
* @see {@link CookieConfig.cookieKey} for the default value.
*/
cookieName?: string;
/**
* Whether the Logto cookie should be secure.
*
* Set this to `true` if you are using https.
*
* @see {@link CookieConfig.isSecure}
*/
cookieSecure?: boolean;
/**
* If Logto should fetch from the [userinfo endpoint](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo)
* in the server side for the `event.context.logtoUser` property (used by `useLogtoUser` composable).
Expand Down

0 comments on commit a61073c

Please sign in to comment.