Merge pull request #4027 from Budibase/fix/samesite

sameSite and secure cookie settings
2022-01-14 10:34:15 +01:00 · 2022-01-14 10:34:15 +01:00 · 31d4c46938
parent 5256a1cf9f 6a3882cb1f
commit 31d4c46938
2 changed files with 14 additions and 0 deletions
--- a/packages/backend-core/src/environment.js
+++ b/packages/backend-core/src/environment.js
@ -6,6 +6,13 @@ function isTest() {
  )
 }

+function isDev() {
+  return (
+    process.env.NODE_ENV !== "production" &&
+    process.env.BUDIBASE_ENVIRONMENT !== "production"
+  )
+}
+
 module.exports = {
  JWT_SECRET: process.env.JWT_SECRET,
  COUCH_DB_URL: process.env.COUCH_DB_URL,
@ -27,6 +34,7 @@ module.exports = {
  COOKIE_DOMAIN: process.env.COOKIE_DOMAIN,
  PLATFORM_URL: process.env.PLATFORM_URL,
  isTest,
+  isDev,
  _set(key, value) {
    process.env[key] = value
    module.exports[key] = value
--- a/packages/backend-core/src/utils.js
+++ b/packages/backend-core/src/utils.js
@ -23,6 +23,7 @@ const { getUserSessions, invalidateSessions } = require("./security/sessions")
 const { migrateIfRequired } = require("./migrations")
 const { USER_EMAIL_VIEW_CASING } = require("./migrations").MIGRATIONS
 const { GLOBAL_DB } = require("./migrations").MIGRATION_DBS
+const { isDev, isTest } = require("./environment")

 const APP_PREFIX = DocumentTypes.APP + SEPARATOR

@ -108,6 +109,11 @@ exports.setCookie = (ctx, value, name = "builder", opts = { sign: true }) => {
    overwrite: true,
  }

+  if (!isDev() && !isTest()) {
+    config.sameSite = "none"
+    config.secure = true
+  }
+
  if (environment.COOKIE_DOMAIN) {
    config.domain = environment.COOKIE_DOMAIN
  }