make cookie a bit more secure - fixes #445

We can't make the cookie `HttpOnly` because we're setting it from
Javascript, but I'm not sure it's worth the trouble to redesign that:
`JSON.parse(localStorage.account).token` gives you the token anyway,
hiding the cookie from JS won't offer much protection.

At least we can mark is `Secure` (meaning, only send it over HTTPS)
and _delete it on logout_ (it wasn't!)
This commit is contained in:
dakkar 2024-03-10 10:26:04 +00:00
parent d1f0fc6d5d
commit 6826e43ad7
1 changed files with 2 additions and 1 deletions

View File

@ -43,6 +43,7 @@ export async function signout() {
waiting(); waiting();
miLocalStorage.removeItem('account'); miLocalStorage.removeItem('account');
await removeAccount($i.id); await removeAccount($i.id);
document.cookie = `token=; path=/; max-age=0${ location.protocol === 'https:' ? '; Secure' : ''}`;
const accounts = await getAccounts(); const accounts = await getAccounts();
//#region Remove service worker registration //#region Remove service worker registration
@ -200,7 +201,7 @@ export async function login(token: Account['token'], redirect?: string) {
throw reason; throw reason;
}); });
miLocalStorage.setItem('account', JSON.stringify(me)); miLocalStorage.setItem('account', JSON.stringify(me));
document.cookie = `token=${token}; path=/; max-age=31536000`; // bull dashboardの認証とかで使う document.cookie = `token=${token}; path=/; max-age=31536000${ location.protocol === 'https:' ? '; Secure' : ''}`; // bull dashboardの認証とかで使う
await addAccount(me.id, token); await addAccount(me.id, token);
if (redirect) { if (redirect) {