cleaned up trust proxy stuff

2024-08-16 18:50:44 +03:00 · 2022-06-22 11:59:01 -04:00 · 2022-06-22 11:59:01 -04:00 · 1a32334d7a
commit 1a32334d7a
parent 65d2744b26
3 changed files with 26 additions and 6 deletions
--- a/waspc/data/Generator/templates/server/src/app.js
+++ b/waspc/data/Generator/templates/server/src/app.js
@ -27,8 +27,9 @@ app.use(express.json())
 app.use(express.urlencoded({ extended: false }))
 app.use(cookieParser())

-if (config.trustProxyCount > 0) {
-  app.set('trust proxy', config.trustProxyCount)
+if (config.trustProxies) {
+  app.enable('trust proxy')
+  console.log("Trusting proxies")
 }

 {=# isAuthEnabled =}
--- a/waspc/data/Generator/templates/server/src/config.js
+++ b/waspc/data/Generator/templates/server/src/config.js
@ -14,8 +14,10 @@ const config = {
    port: parseInt(process.env.PORT) || 3001,
    databaseUrl: process.env.DATABASE_URL,
    // This option is sometimes needed when running behind proxies/load balancers.
+    // For example, this is required for secure cookies to work on Heroku.
    // Ref: https://expressjs.com/en/guide/behind-proxies.html
-    trustProxyCount: undefined,
+    // For now, we only handle the boolean case.
+    trustProxies: undefined,
    {=# isAuthEnabled =}
    session: {
      cookie: {
@ -33,7 +35,7 @@ const config = {
    frontendUrl: undefined,
  },
  development: {
-    trustProxyCount: parseInt(process.env.TRUST_PROXY_COUNT) || 0,
+    trustProxies: toBooleanOrDefault(process.env.TRUST_PROXIES, false),
    {=# isAuthEnabled =}
    session: {
      cookie: {
@ -44,7 +46,7 @@ const config = {
    frontendUrl: process.env.REACT_APP_URL || 'http://localhost:3000',
  },
  production: {
-    trustProxyCount: parseInt(process.env.TRUST_PROXY_COUNT) || 1,
+    trustProxies: toBooleanOrDefault(process.env.TRUST_PROXIES, true),
    {=# isAuthEnabled =}
    session: {
      cookie: {
@ -59,6 +61,23 @@ const config = {
 const resolvedConfig = _.merge(config.all, config[env])
 export default resolvedConfig

+function toBooleanOrDefault(str, defaultValue) {
+  if (!str) {
+    return defaultValue
+  }
+
+  switch(str.toLowerCase()) {
+    case "t":
+    case "true":
+      return true
+    case "f":
+    case "false":
+      return false
+    default:
+      return defaultValue
+  }
+}
+
 export function checkCookieSecretLength(secret) {
  if (!secret || secret.length < 32) {
    throw new Error("SESSION_COOKIE_SECRET must be at least 32 characters long in production")
--- a/web/docs/deploying.md
+++ b/web/docs/deploying.md
@ -41,7 +41,7 @@ Server uses following environment variables, so you need to ensure they are set
 - `SESSION_COOKIE_NAME: string` -> name of cookie used to store session data (defaults to `"wasp_session"`).
 - `SESSION_COOKIE_MAX_AGE: int` -> max age of session cookie in milliseconds (defaults to one week).
 - `CSRF_COOKIE_NAME: string` -> name of cookie used to store csrf double submit pattern secret (defaults to `"wasp_csrf"`).
- `TRUST_PROXY_COUNT: int` -> number of proxies for Express app to trust (defaults to `0` for dev, and `1` for prod).
+- `TRUST_PROXIES: bool` -> if Express app should trust proxies (defaults to `false` in development, and `true` in production).

 ### Deploying to Heroku