Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CLI] Set default CSRF protection for sessions in the configuration #594

Merged
merged 2 commits into from
Dec 13, 2019
Merged

[CLI] Set default CSRF protection for sessions in the configuration #594

merged 2 commits into from
Dec 13, 2019

Conversation

LoicPoullain
Copy link
Member

Issues

  • Since v4.17.0, ExpressJS has supported the none option for the SameSite cookie attribute. Developers should be able to use this value.
  • Developers using cookies (for example with @TokenRequired({ cookie: true })) might not be aware of CSRF attacks and how to protect against them. We should set up a default protection for this in every new project.

Solutions and steps

  • Update the CookieOptions interface.
  • Configuration generated with the command createapp will include a default CSRF protection for sessions : the cookie attribute SameSite will be set to lax.

Checklist

  • Add/update/check docs (code comments and docs/ folder).
  • Add/update/check tests.
  • Update/check the cli generators.

@LoicPoullain LoicPoullain mentioned this pull request Dec 13, 2019
Merged
9 tasks
@codecov
Copy link

codecov bot commented Dec 13, 2019
edited
Loading

Codecov Report

Merging #594 into v1-4-0 will increase coverage by 0.4%.
The diff coverage is n/a.

Impacted file tree graph

@@            Coverage Diff            @@
##           v1-4-0     #594     +/-   ##
=========================================
+ Coverage   99.16%   99.57%   +0.4%     
=========================================
  Files          65       88     +23     
  Lines        1083     1635    +552     
  Branches      266      373    +107     
=========================================
+ Hits         1074     1628    +554     
+ Misses          9        7      -2
Impacted Files Coverage Δ
packages/core/src/core/http/http-responses.ts 100% <ø> (ø) ⬆️
...c/openapi/metadata-getters/get-api-request-body.ts 100% <0%> (ø) ⬆️
.../metadata-getters/get-api-operation-description.ts 100% <0%> (ø) ⬆️
packages/core/src/common/utils/controller.util.ts 100% <0%> (ø) ⬆️
...napi/metadata-getters/get-api-operation-summary.ts 100% <0%> (ø) ⬆️
...ages/core/src/common/utils/verify-password.util.ts 100% <0%> (ø) ⬆️
...core/src/common/tokens/verify-signed-token.util.ts 100% <0%> (ø) ⬆️
packages/core/src/sessions/token-optional.hook.ts 100% <0%> (ø) ⬆️
packages/core/src/common/utils/get-ajv-instance.ts 100% <0%> (ø) ⬆️
packages/core/src/common/utils/escape-prop.ts 100% <0%> (ø) ⬆️
... and 52 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 2a4d3be...fe0468e. Read the comment docs.

@LoicPoullain LoicPoullain merged commit c6ecdcd into v1-4-0 Dec 13, 2019
@LoicPoullain LoicPoullain deleted the session-samesite-config branch December 13, 2019 11:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
enhancement feature
Projects
Issue tracking
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@LoicPoullain