Merge pull request #203 from UWB-ACM/security-changes

Security changes

Author: UWB-ACM-OFFICIAL

next.config.ts

@@ -1,5 +1,19 @@
 import type { NextConfig } from "next";
 
+const cspHeader = `
+    default-src 'self';
+    script-src 'self'${process.env.NODE_ENV === "development" ? " 'unsafe-eval' 'unsafe-inline'" : ""} https://cdn.strawpoll.com;
+    style-src 'self' 'unsafe-inline';
+    img-src 'self' blob: data:;
+    font-src 'self';
+    object-src 'none';
+    base-uri 'self';
+    form-action 'self';
+    frame-ancestors 'none';
+    frame-src https://strawpoll.com;
+    upgrade-insecure-requests;
+`;
+
 const nextConfig: NextConfig = {
     images: {
         formats: ["image/avif", "image/webp"],
@@ -22,6 +36,19 @@ const nextConfig: NextConfig = {
             },
         ],
     },
+    async headers() {
+        return [
+            {
+                source: "/(.*)",
+                headers: [
+                    {
+                        key: "Content-Security-Policy",
+                        value: cspHeader.replace(/\n/g, ""),
+                    },
+                ],
+            },
+        ];
+    },
 };
 
 export default nextConfig;

src/util/logout.ts

@@ -9,11 +9,11 @@ import { buildKey } from "@/src/util/redis";
  */
 export async function logoutUser() {
     const cookieStore = await cookies();
-    const sessionCookie = cookieStore.get("session-uwbh25");
+    const sessionCookie = cookieStore.get("__Host-session-uwbh25");
 
     if (sessionCookie?.value) {
         await redis.del(buildKey("session", sessionCookie.value));
-        await cookieStore.delete("session-uwbh25");
+        cookieStore.delete("__Host-session-uwbh25");
 
         console.log("User logged out successfully.");
     }

src/util/session.ts

@@ -53,7 +53,7 @@ export interface Session {
 export async function getSession(): Promise<Session> {
     const cookieStore = await cookies();
 
-    const cookie = cookieStore.get("session-uwbh25");
+    const cookie = cookieStore.get("__Host-session-uwbh25");
     if (!cookie?.value) {
         console.error("No session cookie found.");
         return {};
@@ -73,7 +73,7 @@ export async function getSession(): Promise<Session> {
  * Ensures that a request/response has a session
  */
 export async function ensureSession(req: NextRequest, res: NextResponse) {
-    const cookie = req.cookies.get("session-uwbh25");
+    const cookie = req.cookies.get("__Host-session-uwbh25");
 
     // If we have a cookie, ensure that it points to a valid session.
     // Otherwise, create a new one.
@@ -99,15 +99,19 @@ export async function ensureSession(req: NextRequest, res: NextResponse) {
     const expiresAt = new Date(Date.now() + sessionTimeSeconds * 1000);
 
     res.cookies.set({
-        name: "session-uwbh25",
+        name: "__Host-session-uwbh25",
         value: newSessionId,
         expires: expiresAt,
+        httpOnly: true,
+        secure: true,
+        sameSite: "strict",
     });
 
     // Also set the request header so that any server
     // side code has the right session ID.
+    // This doesn't write any cookies.
     req.cookies.set({
-        name: "session-uwbh25",
+        name: "__Host-session-uwbh25",
         value: newSessionId,
     });
 }
@@ -121,7 +125,7 @@ export async function ensureSession(req: NextRequest, res: NextResponse) {
 export async function saveSession(data: Session): Promise<void> {
     const cookieStore = await cookies();
 
-    const cookie = cookieStore.get("session-uwbh25");
+    const cookie = cookieStore.get("__Host-session-uwbh25");
     if (!cookie?.value) {
         // This shouldn't happen, since every user should
         // have a session.