fix: make _csrf a secure cookie if the website is using https (#8045)

* Make _csrf a secure cookie if the website is using https * fix style for TravsCI * Add `url_parsed` to databasemock
5 years ago · 0efe27b1f2
parent b3511f71e0
commit 0efe27b1f2
2 changed files with 6 additions and 1 deletions
--- a/src/middleware/index.js
+++ b/src/middleware/index.js
@ -32,7 +32,11 @@ middleware.regexes = {
 };

 middleware.applyCSRF = csrf({
-	cookie: true,
+	cookie: nconf.get('url_parsed').protocol === 'https:' ? {
+		secure: true,
+		sameSite: 'Strict',
+		httpOnly: true,
+	} : true,
 });

 middleware.ensureLoggedIn = ensureLoggedIn.ensureLoggedIn(nconf.get('relative_path') + '/login');
--- a/test/mocks/databasemock.js
+++ b/test/mocks/databasemock.js
@ -119,6 +119,7 @@ before(async function () {
 	// Parse out the relative_url and other goodies from the configured URL
 	const urlObject = url.parse(nconf.get('url'));
 	const relativePath = urlObject.pathname !== '/' ? urlObject.pathname : '';
+	nconf.set('url_parsed', urlObject);
 	nconf.set('base_url', urlObject.protocol + '//' + urlObject.host);
 	nconf.set('secure', urlObject.protocol === 'https:');
 	nconf.set('use_port', !!urlObject.port);