feat: make secure flag of cookie configurable (#26)

2024-08-24 22:18:38 +08:00 · 2024-08-24 22:18:38 +08:00 · c4c1fd8aab
commit c4c1fd8aab
parent 9801ef453d
5 changed files with 10 additions and 2 deletions
--- a/app/utils/sessions.ts
+++ b/app/utils/sessions.ts
@ -27,9 +27,8 @@ export const {
 			maxAge: 60 * 60 * 24, // 24 hours
 			path: '/',
 			sameSite: 'lax',
-			// eslint-disable-next-line @typescript-eslint/no-non-null-assertion
 			secrets: [process.env.COOKIE_SECRET!],
-			secure: true
+			secure: process.env.COOKIE_SECURE !== 'false',
 		}
 	}
 )
--- a/docs/Basic-Integration.md
+++ b/docs/Basic-Integration.md
@ -43,6 +43,7 @@ services:
      OIDC_ISSUER: 'https://sso.example.com'
      OIDC_CLIENT_SECRET: 'super_secret_client_secret'
      DISABLE_API_KEY_LOGIN: 'true'
+      COOKIE_SECURE: 'false'

      # These are the default values
      HOST: '0.0.0.0'
--- a/docs/Configuration.md
+++ b/docs/Configuration.md
@ -14,6 +14,7 @@ You can configure Headplane using environment variables.
 - **`CONFIG_FILE`**: The path to the Headscale `config.yaml` (default: `/etc/headscale/config.yaml`).
 - **`ACL_FILE`**: The path to the ACL file (default: `/etc/headscale/acl_policy.json`, not needed if you have `acl_policy_path` in your config).
 - **`HEADSCALE_CONFIG_UNSTRICT`**: This will disable the strict configuration loader (default: `false`).
+- **`COOKIE_SECURE`**: This option enables the `Secure` flag for cookies, ensuring they are sent only over HTTPS, which helps prevent interception and enhances data security. It should be disabled when using HTTP instead of HTTPS (default: `true`).

 #### Docker Integration
 The Docker integration allows Headplane to manage the Headscale docker container.
--- a/docs/integration/Docker.md
+++ b/docs/integration/Docker.md
@ -68,6 +68,9 @@ services:
      HOST: '0.0.0.0'
      PORT: '3000'
        
+      # Only set this to false if you aren't behind a reverse proxy
+      COOKIE_SECURE: 'false'
+
      # Overrides the configuration file values if they are set in config.yaml
      # If you want to share the same OIDC configuration you do not need this
      OIDC_CLIENT_ID: 'headscale'
--- a/docs/integration/Kubernetes.md
+++ b/docs/integration/Kubernetes.md
@ -98,6 +98,10 @@ spec:
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
+
+          # Only set this to false if you aren't behind a reverse proxy
+        - name: COOKIE_SECURE
+          value: 'false'
        volumeMounts:
        - name: headscale-config
          mountPath: /etc/headscale