Make cookie http-secure configurable

michaelvl · Dec 17, 2023 · bec3c81 · bec3c81
1 parent a0b9ca4
commit bec3c81
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 5 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -2,13 +2,13 @@ FROM node:16.10.0-alpine3.12
 
 ENV NODE_ENV production
 
-RUN mkdir -p /usr/src/app/bff
+RUN mkdir -p /apps/bff
 
-WORKDIR /usr/src/app/bff
-COPY --chown=node:node package.json package-lock.json /usr/src/app/bff/
+WORKDIR /apps/bff
+COPY --chown=node:node package.json package-lock.json /apps/bff/
 RUN npm install --only=production
 
-COPY --chown=node:node dist /usr/src/app/bff/dist
+COPY --chown=node:node dist /apps/bff/dist
 
 EXPOSE 5010
 

diff --git a/README.md b/README.md
@@ -12,8 +12,19 @@ client secrets secret at the BFF while the frontend use
 [SameSite=strict](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite)
 cookies to track the security session.
 
+In summary, the security benefits of the OIDC BFF are:
+
+- OIDC tokens and client secrets are kept at the backend, which should
+  be more secure than the browser.
+
+- The security session between browser and BFF is a 'HTTP-only'
+  cookie, i.e. this is not available to potential malicious
+  Javascript.
+
 ## Overall Principle
 
+
+
 ## API Endpoints
 
 With a BFF, accessing the functionality extracted to the backend basically

diff --git a/src/index.ts b/src/index.ts
@@ -24,6 +24,7 @@ const session_secret = process.env.SESSION_SECRET;
 const cors_allow_origin = process.env.CORS_ALLOW_ORIGIN;
 const config_trust_proxies = process.env.CONFIG_TRUST_PROXIES || 1;
 const base_path = process.env.BASE_PATH || '/';
+const secure_cookie = process.env.SECURE_COOKIE!="false";
 
 console.log('CLIENT_ID', client_id);
 console.log('CLIENT_SECRET', client_secret);
@@ -32,6 +33,7 @@ console.log('OIDC_ISSUER_URL', oidc_issuer_url);
 console.log('OIDC_SCOPE', oidc_scope);
 console.log('REDIS_URL', redis_url);
 console.log('CORS_ALLOW_ORIGIN', cors_allow_origin);
+console.log('SECURE_COOKIE', secure_cookie);
 
 if ( ! oidc_issuer_url) {
    console.error('*** Env OIDC_ISSUER_URL not set');
@@ -84,7 +86,7 @@ if (app.get('env') === 'production') {
     console.log('Using trust proxy', config_trust_proxies);
     app.set('trust proxy', config_trust_proxies)
     console.log('Using secure cookie');
-    session_config.cookie.secure = true
+    session_config.cookie.secure = secure_cookie
 }
 if (redis_url) {
     console.log('Using Redis session store');