torsten/harheimertc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
harheimertc/server/utils/cookies.js
Torsten Schulz (local) 6d6a14ac48
Some checks failed
Code Analysis (JS/Vue) / analyze (push) Failing after 42s
Details
Update cookie SameSite configuration and secure options for improved security compliance 
This commit enhances the cookie handling logic by providing detailed comments on the SameSite attribute options and their implications for security. It sets the default SameSite value to 'none' to allow iframe embedding while ensuring that Secure is true when SameSite is 'none'. Additionally, it adds a warning for cases where SameSite is 'none' but Secure is false, improving the overall security posture of cookie management.
2026-01-11 21:10:00 +01:00

63 lines
2.1 KiB
JavaScript
Raw Permalink Blame History

function isProduction() {
return process.env.NODE_ENV === 'production'
}
export function getCookieSecureDefault() {
// In Produktion: immer Secure (auch wenn HTTPS via Apache terminiert).
// In Dev: default false, damit Login über http://localhost funktioniert.
if (process.env.COOKIE_SECURE === 'true') return true
if (process.env.COOKIE_SECURE === 'false') return false
return isProduction()
}
export function getSameSiteDefault() {
// Cookie SameSite-Konfiguration
// - 'none': Erlaubt Cookies in Cross-Site-iframes (erfordert Secure: true)
// - 'lax': Erlaubt Cookies bei Navigation (Standard für Cross-Site)
// - 'strict': Blockiert alle Cross-Site-Cookies (sicherste Option, blockiert iframes)
const v = (process.env.COOKIE_SAMESITE || '').toLowerCase().trim()
if (v === 'strict' || v === 'lax' || v === 'none') return v
// Default: 'none' für Cross-Site-iframes (wenn in iframe eingebettet)
// WICHTIG: SameSite: none erfordert Secure: true (HTTPS)
// Falls iframe-Einbettung nicht benötigt wird, kann auf 'strict' oder 'lax' geändert werden
return 'none' // Ermöglicht Einbettung in iframes (z.B. von harheimertc.de)
}
export function getAuthCookieOptions() {
const sameSite = getSameSiteDefault()
const secure = getCookieSecureDefault()
// SameSite: none erfordert Secure: true
// Wenn SameSite: none gesetzt ist, aber Secure: false, warnen
if (sameSite === 'none' && !secure) {
console.warn('⚠️ SameSite: none erfordert Secure: true. Cookie könnte in iframes nicht funktionieren.')
}
return {
httpOnly: true,
secure: secure,
sameSite: sameSite,
maxAge: 60 * 60 * 24 * 7 // 7 days
}
}
export function getDownloadCookieOptions() {
// Download-Token ist kurzlebig; SameSite strict ist ok.
return {
httpOnly: true,
secure: getCookieSecureDefault(),
sameSite: 'strict',
maxAge: 60 * 60 * 24 // 24 Stunden
}
}
export function getDownloadCookieOptionsWithMaxAge(maxAgeSeconds) {
return {
...getDownloadCookieOptions(),
maxAge: Number(maxAgeSeconds) || getDownloadCookieOptions().maxAge
}
}
Reference in New Issue View Git Blame Copy Permalink