From 938a1bde4792ae50b06eb07b0860e2a313065e7d Mon Sep 17 00:00:00 2001 From: Marcin Maciaszczyk Date: Thu, 6 Feb 2020 13:09:33 +0100 Subject: [PATCH] Set cookies sameSite to strict and use secure cookies (#4877) --- .../common/services/global/authentication.ts | 46 ++++++++++++++----- .../common/services/global/localsettings.ts | 10 +++- 2 files changed, 44 insertions(+), 12 deletions(-) diff --git a/src/app/frontend/common/services/global/authentication.ts b/src/app/frontend/common/services/global/authentication.ts index 5dd8cfcdc3e4..909b31776d5c 100644 --- a/src/app/frontend/common/services/global/authentication.ts +++ b/src/app/frontend/common/services/global/authentication.ts @@ -32,7 +32,7 @@ import {KdStateService} from './state'; @Injectable() export class AuthService { - private readonly config_ = CONFIG; + private readonly _config = CONFIG; constructor( private readonly cookies_: CookieService, @@ -54,20 +54,36 @@ export class AuthService { private setTokenCookie_(token: string): void { // This will only work for HTTPS connection - this.cookies_.set(this.config_.authTokenCookieName, token, null, null, null, true); + this.cookies_.set(this._config.authTokenCookieName, token, null, null, null, true, 'Strict'); // This will only work when accessing Dashboard at 'localhost' or // '127.0.0.1' - this.cookies_.set(this.config_.authTokenCookieName, token, null, null, 'localhost'); - this.cookies_.set(this.config_.authTokenCookieName, token, null, null, '127.0.0.1'); + this.cookies_.set( + this._config.authTokenCookieName, + token, + null, + null, + 'localhost', + true, + 'Strict', + ); + this.cookies_.set( + this._config.authTokenCookieName, + token, + null, + null, + '127.0.0.1', + true, + 'Strict', + ); } private getTokenCookie_(): string { - return this.cookies_.get(this.config_.authTokenCookieName) || ''; + return this.cookies_.get(this._config.authTokenCookieName) || ''; } removeAuthCookies(): void { - this.cookies_.delete(this.config_.authTokenCookieName); - this.cookies_.delete(this.config_.skipLoginPageCookieName); + this.cookies_.delete(this._config.authTokenCookieName); + this.cookies_.delete(this._config.skipLoginPageCookieName); } /** @@ -79,7 +95,7 @@ export class AuthService { .pipe( switchMap((csrfToken: CsrfToken) => this.http_.post('api/v1/login', loginSpec, { - headers: new HttpHeaders().set(this.config_.csrfHeaderName, csrfToken.token), + headers: new HttpHeaders().set(this._config.csrfHeaderName, csrfToken.token), }), ), ) @@ -115,7 +131,7 @@ export class AuthService { 'api/v1/token/refresh', {jweToken: token}, { - headers: new HttpHeaders().set(this.config_.csrfHeaderName, csrfToken.token), + headers: new HttpHeaders().set(this._config.csrfHeaderName, csrfToken.token), }, ); }), @@ -150,7 +166,15 @@ export class AuthService { skipLoginPage(skip: boolean): void { this.removeAuthCookies(); - this.cookies_.set(this.config_.skipLoginPageCookieName, skip.toString()); + this.cookies_.set( + this._config.skipLoginPageCookieName, + skip.toString(), + null, + null, + null, + true, + 'Strict', + ); } /** @@ -159,6 +183,6 @@ export class AuthService { * In case cookie is not set login page will also be visible. */ isLoginPageEnabled(): boolean { - return !(this.cookies_.get(this.config_.skipLoginPageCookieName) === 'true'); + return !(this.cookies_.get(this._config.skipLoginPageCookieName) === 'true'); } } diff --git a/src/app/frontend/common/services/global/localsettings.ts b/src/app/frontend/common/services/global/localsettings.ts index cfed6d97199e..fae571e7c6ff 100644 --- a/src/app/frontend/common/services/global/localsettings.ts +++ b/src/app/frontend/common/services/global/localsettings.ts @@ -45,6 +45,14 @@ export class LocalSettingsService { } updateCookie_(): void { - this.cookies_.set(this.cookieName_, JSON.stringify(this.settings_)); + this.cookies_.set( + this.cookieName_, + JSON.stringify(this.settings_), + null, + null, + null, + true, + 'Strict', + ); } }