From 3ae999024f308bf6fc8bca004863bc570211b803 Mon Sep 17 00:00:00 2001 From: Sheogorath Date: Wed, 10 Jun 2020 12:21:11 +0200 Subject: [PATCH] Fix broken cookie handling due to missing proxy awareness We enabled the `secure` flag for various cookies in previous commits. This caused setups behind reverse proxies to drop cookies as the nodejs instance wasn't aware of the fact that it was able to hand out secure commits using an insecure connection (between the codimd instance and the reverse proxy). This patch makes express, the webserver framework we use, aware of proxies and this way re-enabled the handing out of cookies. Not only the cookie monster will enjoy, but also functionality like authentication and real-time editing will return as intended. References: https://www.npmjs.com/package/express-session#cookiesecure https://github.com/codimd/server/commit/383d791a50919bb9890a3f3f797ecc95125ab8bf Signed-off-by: Sheogorath --- src/lib/app.ts | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/lib/app.ts b/src/lib/app.ts index 93a0399b9..0fb01c2a1 100644 --- a/src/lib/app.ts +++ b/src/lib/app.ts @@ -63,6 +63,13 @@ if (config.useSSL) { server = http.createServer(app) } +// if we manage to provide HTTPS domains, but don't provide TLS ourselves +// obviously a proxy is involded. In order to make sure express is aware of +// this, we provide the option to trust proxies here. +if (!config.useSSL && config.protocolUseSSL) { + app.set('trust proxy', 1) +} + // socket io const io = SocketIO(server, { cookie: false }) io.engine.ws = new WebSocket.Server({