From: Dessalines Date: Sat, 18 Sep 2021 21:59:28 +0000 (-0400) Subject: Adding JWT secure flag. (#426) X-Git-Url: http://these/git/%22https:/join-lemmy.org/static/%7BimageUploadUrl%7D?a=commitdiff_plain;h=bf93e29f4c81360c9ccfdb7a14fd3576117ef67a;p=lemmy-ui.git Adding JWT secure flag. (#426) - Couldn't add samesite due to isomorphic library. - Couldn't add httponly, because the js needs it for calls. - Fixes #389 --- diff --git a/src/shared/env.ts b/src/shared/env.ts index 505b5c1..43b9ce0 100644 --- a/src/shared/env.ts +++ b/src/shared/env.ts @@ -37,9 +37,11 @@ export const httpBaseInternal = `http://${host}`; // Don't use secure here export const httpBase = `http${secure}://${host}`; export const wsUri = `ws${secure}://${wsHost}/api/v3/ws`; export const pictrsUri = `${httpBase}/pictrs/image`; +export const isHttps = secure.endsWith("s"); console.log(`httpbase: ${httpBase}`); console.log(`wsUri: ${wsUri}`); +console.log(`isHttps: ${isHttps}`); // This is for html tags, don't include port const httpExternalUri = `http${secure}://${externalHost.split(":")[0]}`; diff --git a/src/shared/services/UserService.ts b/src/shared/services/UserService.ts index a0268c6..c9351ef 100644 --- a/src/shared/services/UserService.ts +++ b/src/shared/services/UserService.ts @@ -3,6 +3,7 @@ import IsomorphicCookie from "isomorphic-cookie"; import jwt_decode from "jwt-decode"; import { LoginResponse, MyUserInfo } from "lemmy-js-client"; import { BehaviorSubject, Subject } from "rxjs"; +import { isHttps } from "../env"; interface Claims { sub: number; @@ -31,17 +32,18 @@ export class UserService { public login(res: LoginResponse) { let expires = new Date(); expires.setDate(expires.getDate() + 365); - IsomorphicCookie.save("jwt", res.jwt, { expires, secure: false }); + IsomorphicCookie.save("jwt", res.jwt, { expires, secure: isHttps }); console.log("jwt cookie set"); this.setClaims(res.jwt); } public logout() { - IsomorphicCookie.remove("jwt"); this.claims = undefined; this.myUserInfo = undefined; // setTheme(); this.jwtSub.next(""); + IsomorphicCookie.remove("jwt"); // TODO is sometimes unreliable for some reason + document.cookie = "jwt=; Max-Age=0; path=/; domain=" + location.host; console.log("Logged out."); }