add SameSite value for access cookies,

add proper minimum expire time for username/auth access cookie, fix bug in setUser
2024-10-30 18:59:10 +00:00 · 2024-10-30 18:59:10 +00:00 · 7626dcf387
commit 7626dcf387
parent 4984877ab7
3 changed files with 15 additions and 5 deletions
--- a/src/backends/backends.js
+++ b/src/backends/backends.js
@ -250,7 +250,7 @@ class USER_BACKEND_MANAGER extends USER_BACKEND {
 		for (const backend of this.#config.realm[user.realm]) {
 			const atomicChange = await global.backends[backend].setUser(user, attributes, params);
 			if (atomicChange.valid === false) { // if any fails, preemptively exit
-				return atomicChange.stauts;
+				return atomicChange.status;
 			}
 			atomicChanges.push(atomicChange); // queue callback into array
 		}
--- a/src/routes/access.js
+++ b/src/routes/access.js
@ -73,12 +73,17 @@ router.post("/ticket", async (req, res) => {
 		return;
 	}
 	const cookies = cm.exportCookies();
+	let minimumExpires = Infinity;
 	for (const cookie of cookies) {
 		const expiresDate = new Date(Date.now() + cookie.expiresMSFromNow);
-		res.cookie(cookie.name, cookie.value, { domain, path: "/", httpOnly: true, secure: true, expires: expiresDate });
+		res.cookie(cookie.name, cookie.value, { domain, path: "/", httpOnly: true, secure: true, expires: expiresDate, sameSite: "none" });
+		if (cookie.expiresMSFromNow < minimumExpires) {
+			minimumExpires = cookie.expiresMSFromNow;
+		}
 	}
-	res.cookie("username", params.username, { domain, path: "/", secure: true });
-	res.cookie("auth", 1, { domain, path: "/", secure: true });
+	const expiresDate = new Date(Date.now() + minimumExpires);
+	res.cookie("username", params.username, { domain, path: "/", secure: true, expires: expiresDate, sameSite: "none" });
+	res.cookie("auth", 1, { domain, path: "/", secure: true, expires: expiresDate, sameSite: "none" });
 	res.status(200).send({ auth: true });
 });

@ -95,7 +100,7 @@ router.delete("/ticket", async (req, res) => {
 	const domain = global.config.application.domain;
 	const expire = new Date(0);
 	for (const cookie in req.cookies) {
-		res.cookie(cookie, "", { domain, path: "/", expires: expire });
+		res.cookie(cookie, "", { domain, path: "/", expires: expire, secure: true, sameSite: "none" });
 	}
 	await global.pve.closeSession(req.cookies);
 	await global.userManager.closeSession(req.cookies);
--- a/src/utils.js
+++ b/src/utils.js
@ -379,6 +379,11 @@ export function readJSONFile (path) {
 	}
 };

+/**
+ *
+ * @param {*} username
+ * @returns {Object | null} user object containing username and realm or null if user does not exist
+ */
 export function getUserObjFromUsername (username) {
 	if (username) {
 		const userRealm = username.split("@").at(-1);