From e4fc67e09c2320f7bd071de0ef6017be54210bb1 Mon Sep 17 00:00:00 2001 From: shayneczyzewski Date: Tue, 14 Jun 2022 12:40:33 -0400 Subject: [PATCH] some updates and notes --- waspc/data/Generator/templates/react-app/src/index.js | 5 ++++- waspc/data/Generator/templates/server/src/app.js | 1 + waspc/data/Generator/templates/server/src/routes/index.js | 1 + waspc/data/Generator/templates/server/src/session.js | 5 +++-- 4 files changed, 9 insertions(+), 3 deletions(-) diff --git a/waspc/data/Generator/templates/react-app/src/index.js b/waspc/data/Generator/templates/react-app/src/index.js index e1da9c5bc..fe2debabb 100644 --- a/waspc/data/Generator/templates/react-app/src/index.js +++ b/waspc/data/Generator/templates/react-app/src/index.js @@ -36,7 +36,10 @@ async function startApp() { serviceWorker.unregister() } -// TODO: Chat on options. Pretty hacky. +// NOTE: Since users will likely have the backend running on a different domain than +// the frontend, we are unable to set the token: +// (a) on the page load, as the index.html is not served by Node, nor +// (b) via a cookie, since the frontend JS will not be able to access a cross-domain cookie. async function setCsrfToken() { const token = await api.get(config.apiUrl + '/csrf-token') diff --git a/waspc/data/Generator/templates/server/src/app.js b/waspc/data/Generator/templates/server/src/app.js index ce8f1f515..e5f5b8209 100644 --- a/waspc/data/Generator/templates/server/src/app.js +++ b/waspc/data/Generator/templates/server/src/app.js @@ -18,6 +18,7 @@ import { useSession } from './session.js' const app = express() app.use(helmet()) +// TODO: review PR that concerns this. app.use(cors({ origin: config.frontendUrl, methods: ['POST', 'PUT', 'GET', 'OPTIONS', 'HEAD'], diff --git a/waspc/data/Generator/templates/server/src/routes/index.js b/waspc/data/Generator/templates/server/src/routes/index.js index 709e28002..f348b4b01 100644 --- a/waspc/data/Generator/templates/server/src/routes/index.js +++ b/waspc/data/Generator/templates/server/src/routes/index.js @@ -15,6 +15,7 @@ router.get('/', function (req, res, next) { {=# isAuthEnabled =} router.use('/auth', auth) +// TODO: ensure this only can be requested by frontend router.get('/csrf-token', function (req, res) { res.json(req.csrfToken()) }) diff --git a/waspc/data/Generator/templates/server/src/session.js b/waspc/data/Generator/templates/server/src/session.js index d9f7fbbb8..a14ac9966 100644 --- a/waspc/data/Generator/templates/server/src/session.js +++ b/waspc/data/Generator/templates/server/src/session.js @@ -15,7 +15,6 @@ const sessionConfig = { saveUninitialized: true, cookie: { httpOnly: true, - // TODO: Use sameSite? maxAge: config.session.cookie.maxAge, }, store: new PrismaSessionStore(prisma, { @@ -36,7 +35,9 @@ const csrfConfig = { export function useSession(app) { if (config.env === 'production') { sessionConfig.cookie.secure = true - csurfConfig.cookie.secure = true + sessionConfig.cookie.sameSite = 'none' + csrfConfig.cookie.secure = true + csrfConfig.cookie.sameSite = 'none' } app.use(session(sessionConfig))