From 6826e43ad7283472784223f85b6a7b04bfffd0d8 Mon Sep 17 00:00:00 2001 From: dakkar Date: Sun, 10 Mar 2024 10:26:04 +0000 Subject: [PATCH] make cookie a bit more secure - fixes #445 We can't make the cookie `HttpOnly` because we're setting it from Javascript, but I'm not sure it's worth the trouble to redesign that: `JSON.parse(localStorage.account).token` gives you the token anyway, hiding the cookie from JS won't offer much protection. At least we can mark is `Secure` (meaning, only send it over HTTPS) and _delete it on logout_ (it wasn't!) --- packages/frontend/src/account.ts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/packages/frontend/src/account.ts b/packages/frontend/src/account.ts index 171826c9d..90cc2e51c 100644 --- a/packages/frontend/src/account.ts +++ b/packages/frontend/src/account.ts @@ -43,6 +43,7 @@ export async function signout() { waiting(); miLocalStorage.removeItem('account'); await removeAccount($i.id); + document.cookie = `token=; path=/; max-age=0${ location.protocol === 'https:' ? '; Secure' : ''}`; const accounts = await getAccounts(); //#region Remove service worker registration @@ -200,7 +201,7 @@ export async function login(token: Account['token'], redirect?: string) { throw reason; }); miLocalStorage.setItem('account', JSON.stringify(me)); - document.cookie = `token=${token}; path=/; max-age=31536000`; // bull dashboardの認証とかで使う + document.cookie = `token=${token}; path=/; max-age=31536000${ location.protocol === 'https:' ? '; Secure' : ''}`; // bull dashboardの認証とかで使う await addAccount(me.id, token); if (redirect) {