diff --git a/Dockerfile b/Dockerfile index cbb3852..3a43b6a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,13 +2,13 @@ FROM node:16.10.0-alpine3.12 ENV NODE_ENV production -RUN mkdir -p /usr/src/app/bff +RUN mkdir -p /apps/bff -WORKDIR /usr/src/app/bff -COPY --chown=node:node package.json package-lock.json /usr/src/app/bff/ +WORKDIR /apps/bff +COPY --chown=node:node package.json package-lock.json /apps/bff/ RUN npm install --only=production -COPY --chown=node:node dist /usr/src/app/bff/dist +COPY --chown=node:node dist /apps/bff/dist EXPOSE 5010 diff --git a/README.md b/README.md index 6eff3d9..dd4aba8 100644 --- a/README.md +++ b/README.md @@ -12,8 +12,19 @@ client secrets secret at the BFF while the frontend use [SameSite=strict](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) cookies to track the security session. +In summary, the security benefits of the OIDC BFF are: + +- OIDC tokens and client secrets are kept at the backend, which should + be more secure than the browser. + +- The security session between browser and BFF is a 'HTTP-only' + cookie, i.e. this is not available to potential malicious + Javascript. + ## Overall Principle + + ## API Endpoints With a BFF, accessing the functionality extracted to the backend basically diff --git a/src/index.ts b/src/index.ts index 1f243f6..8d9609e 100644 --- a/src/index.ts +++ b/src/index.ts @@ -24,6 +24,7 @@ const session_secret = process.env.SESSION_SECRET; const cors_allow_origin = process.env.CORS_ALLOW_ORIGIN; const config_trust_proxies = process.env.CONFIG_TRUST_PROXIES || 1; const base_path = process.env.BASE_PATH || '/'; +const secure_cookie = process.env.SECURE_COOKIE!="false"; console.log('CLIENT_ID', client_id); console.log('CLIENT_SECRET', client_secret); @@ -32,6 +33,7 @@ console.log('OIDC_ISSUER_URL', oidc_issuer_url); console.log('OIDC_SCOPE', oidc_scope); console.log('REDIS_URL', redis_url); console.log('CORS_ALLOW_ORIGIN', cors_allow_origin); +console.log('SECURE_COOKIE', secure_cookie); if ( ! oidc_issuer_url) { console.error('*** Env OIDC_ISSUER_URL not set'); @@ -84,7 +86,7 @@ if (app.get('env') === 'production') { console.log('Using trust proxy', config_trust_proxies); app.set('trust proxy', config_trust_proxies) console.log('Using secure cookie'); - session_config.cookie.secure = true + session_config.cookie.secure = secure_cookie } if (redis_url) { console.log('Using Redis session store');