From 7626dcf387f720ca4797079cc4a7d5a31df98941 Mon Sep 17 00:00:00 2001 From: Arthur Lu Date: Wed, 30 Oct 2024 18:59:10 +0000 Subject: [PATCH] add SameSite value for access cookies, add proper minimum expire time for username/auth access cookie, fix bug in setUser --- src/backends/backends.js | 2 +- src/routes/access.js | 13 +++++++++---- src/utils.js | 5 +++++ 3 files changed, 15 insertions(+), 5 deletions(-) diff --git a/src/backends/backends.js b/src/backends/backends.js index 32379f5..a98b042 100644 --- a/src/backends/backends.js +++ b/src/backends/backends.js @@ -250,7 +250,7 @@ class USER_BACKEND_MANAGER extends USER_BACKEND { for (const backend of this.#config.realm[user.realm]) { const atomicChange = await global.backends[backend].setUser(user, attributes, params); if (atomicChange.valid === false) { // if any fails, preemptively exit - return atomicChange.stauts; + return atomicChange.status; } atomicChanges.push(atomicChange); // queue callback into array } diff --git a/src/routes/access.js b/src/routes/access.js index 086d102..29f0693 100644 --- a/src/routes/access.js +++ b/src/routes/access.js @@ -73,12 +73,17 @@ router.post("/ticket", async (req, res) => { return; } const cookies = cm.exportCookies(); + let minimumExpires = Infinity; for (const cookie of cookies) { const expiresDate = new Date(Date.now() + cookie.expiresMSFromNow); - res.cookie(cookie.name, cookie.value, { domain, path: "/", httpOnly: true, secure: true, expires: expiresDate }); + res.cookie(cookie.name, cookie.value, { domain, path: "/", httpOnly: true, secure: true, expires: expiresDate, sameSite: "none" }); + if (cookie.expiresMSFromNow < minimumExpires) { + minimumExpires = cookie.expiresMSFromNow; + } } - res.cookie("username", params.username, { domain, path: "/", secure: true }); - res.cookie("auth", 1, { domain, path: "/", secure: true }); + const expiresDate = new Date(Date.now() + minimumExpires); + res.cookie("username", params.username, { domain, path: "/", secure: true, expires: expiresDate, sameSite: "none" }); + res.cookie("auth", 1, { domain, path: "/", secure: true, expires: expiresDate, sameSite: "none" }); res.status(200).send({ auth: true }); }); @@ -95,7 +100,7 @@ router.delete("/ticket", async (req, res) => { const domain = global.config.application.domain; const expire = new Date(0); for (const cookie in req.cookies) { - res.cookie(cookie, "", { domain, path: "/", expires: expire }); + res.cookie(cookie, "", { domain, path: "/", expires: expire, secure: true, sameSite: "none" }); } await global.pve.closeSession(req.cookies); await global.userManager.closeSession(req.cookies); diff --git a/src/utils.js b/src/utils.js index d76658b..e153473 100644 --- a/src/utils.js +++ b/src/utils.js @@ -379,6 +379,11 @@ export function readJSONFile (path) { } }; +/** + * + * @param {*} username + * @returns {Object | null} user object containing username and realm or null if user does not exist + */ export function getUserObjFromUsername (username) { if (username) { const userRealm = username.split("@").at(-1);