From 7274d63e3b92b2c1da1c8aaa5e0a18d3e069ac68 Mon Sep 17 00:00:00 2001 From: Mohamed Marrouchi Date: Thu, 18 May 2023 10:10:21 +0100 Subject: [PATCH 1/5] fix: trust proxy ssl to forward session cookie --- config/config.md | 2 ++ config/default.json | 1 + src/koaApi.js | 7 ++++++- 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/config/config.md b/config/config.md index a8ad274b..7adb6b25 100644 --- a/config/config.md +++ b/config/config.md @@ -44,6 +44,8 @@ The following config option are provided by the OpenHIM. All of these options ha // The session secret key used for the hashing of signed cookie (used to detect if the client modified the cookie) // Signed cookie is another cookie of the same name with the .sig suffix appended "sessionKey": "r8q,+&1LM3)CD*zAGpx1xm{NeQhc;#", + // If OpenHIM is behind a proxy (should be `true` if the ssl is handled by the proxy) + "trustProxy": false, // The session max age is the session cookie expiration time (in milliseconds) "maxAge": 7200000, // The number of characters that will be used to generate a random salt for the encryption of passwords diff --git a/config/default.json b/config/default.json index a6278141..6947b014 100644 --- a/config/default.json +++ b/config/default.json @@ -32,6 +32,7 @@ }, "api": { "sessionKey": "r8q,+&1LM3)CD*zAGpx1xm{NeQhc;#", + "trustProxy": false, "maxAge": 7200000, "salt": 10, "enabled": true, diff --git a/src/koaApi.js b/src/koaApi.js index 3a49fe2b..87918d41 100644 --- a/src/koaApi.js +++ b/src/koaApi.js @@ -40,12 +40,17 @@ export function setupApp(done) { // Configure Sessions Middleware app.keys = [config.api.sessionKey] + + if (config.api.trustProxy) { + app.proxy = true; + } + app.use( session( { maxAge: config.api.maxAge || 7200000, resave: false, - secure: true, + secure: config.api.protocol === 'https', httpOnly: true, sameSite: 'none', store: new MongooseStore() From 5d0e12748636a00d623b8ba728c937ba9bf15167 Mon Sep 17 00:00:00 2001 From: Mohamed Marrouchi Date: Fri, 19 May 2023 08:20:05 +0100 Subject: [PATCH 2/5] feat: configure secure cookie --- config/config.md | 2 ++ config/default.json | 1 + src/koaApi.js | 2 +- 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/config/config.md b/config/config.md index 7adb6b25..0d22fb89 100644 --- a/config/config.md +++ b/config/config.md @@ -46,6 +46,8 @@ The following config option are provided by the OpenHIM. All of these options ha "sessionKey": "r8q,+&1LM3)CD*zAGpx1xm{NeQhc;#", // If OpenHIM is behind a proxy (should be `true` if the ssl is handled by the proxy) "trustProxy": false, + // Secure the cookie (either protocol is https or trusting a secured proxy) + secureCookie: true, // The session max age is the session cookie expiration time (in milliseconds) "maxAge": 7200000, // The number of characters that will be used to generate a random salt for the encryption of passwords diff --git a/config/default.json b/config/default.json index 6947b014..12e66d8d 100644 --- a/config/default.json +++ b/config/default.json @@ -33,6 +33,7 @@ "api": { "sessionKey": "r8q,+&1LM3)CD*zAGpx1xm{NeQhc;#", "trustProxy": false, + "secureCookie": true, "maxAge": 7200000, "salt": 10, "enabled": true, diff --git a/src/koaApi.js b/src/koaApi.js index 87918d41..c30f996c 100644 --- a/src/koaApi.js +++ b/src/koaApi.js @@ -50,7 +50,7 @@ export function setupApp(done) { { maxAge: config.api.maxAge || 7200000, resave: false, - secure: config.api.protocol === 'https', + secure: config.api.secureCookie, httpOnly: true, sameSite: 'none', store: new MongooseStore() From 57a3215e130ac68f16608868d0ceab2eb606bc66 Mon Sep 17 00:00:00 2001 From: Mohamed Marrouchi Date: Fri, 19 May 2023 10:33:55 +0100 Subject: [PATCH 3/5] Update config/config.md Co-authored-by: arran-standish <125864621+arran-standish@users.noreply.github.com> --- config/config.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/config.md b/config/config.md index 0d22fb89..80ba5e96 100644 --- a/config/config.md +++ b/config/config.md @@ -44,7 +44,7 @@ The following config option are provided by the OpenHIM. All of these options ha // The session secret key used for the hashing of signed cookie (used to detect if the client modified the cookie) // Signed cookie is another cookie of the same name with the .sig suffix appended "sessionKey": "r8q,+&1LM3)CD*zAGpx1xm{NeQhc;#", - // If OpenHIM is behind a proxy (should be `true` if the ssl is handled by the proxy) + // If OpenHIM is behind a proxy (should be `true` if the proxy sends relevant Forwarded headers) "trustProxy": false, // Secure the cookie (either protocol is https or trusting a secured proxy) secureCookie: true, From 476ff4c0f92b6da800acc5d9285dd2e89304b6ce Mon Sep 17 00:00:00 2001 From: Mohamed Marrouchi Date: Fri, 19 May 2023 10:34:13 +0100 Subject: [PATCH 4/5] Update src/koaApi.js Co-authored-by: arran-standish <125864621+arran-standish@users.noreply.github.com> --- src/koaApi.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/koaApi.js b/src/koaApi.js index c30f996c..8d9fe37e 100644 --- a/src/koaApi.js +++ b/src/koaApi.js @@ -42,7 +42,7 @@ export function setupApp(done) { app.keys = [config.api.sessionKey] if (config.api.trustProxy) { - app.proxy = true; + app.proxy = true } app.use( From 6cad52547312a20e018fcd77e82c3b440ff6a858 Mon Sep 17 00:00:00 2001 From: bradsawadye Date: Tue, 30 May 2023 11:26:17 +0200 Subject: [PATCH 5/5] Update the version of project --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 77f2094e..ed39b4ac 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "openhim-core", "description": "The OpenHIM core application that provides logging and routing of http requests", - "version": "7.2.1", + "version": "7.3.0", "main": "./lib/server.js", "bin": { "openhim-core": "./bin/openhim-core.js"