Merge pull request #574 from gitroomhq/feat/no-secured

Not secured

Author: nevo-david

apps/backend/src/api/routes/auth.controller.ts

@@ -31,7 +31,7 @@ export class AuthController {
 
   @Get('/can-register')
   async canRegister() {
-    return {register: await this._authService.canRegister()};
+    return { register: await this._authService.canRegister() };
   }
 
   @Post('/register')
@@ -66,20 +66,36 @@ export class AuthController {
 
       response.cookie('auth', jwt, {
         domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
-        secure: true,
-        httpOnly: true,
-        sameSite: 'none',
+        ...(!process.env.NOT_SECURED
+          ? {
+              secure: true,
+              httpOnly: true,
+              sameSite: 'none',
+            }
+          : {}),
         expires: new Date(Date.now() + 1000 * 60 * 60 * 24 * 365),
       });
 
+      if (process.env.NOT_SECURED) {
+        response.header('auth', jwt);
+      }
+
       if (typeof addedOrg !== 'boolean' && addedOrg?.organizationId) {
         response.cookie('showorg', addedOrg.organizationId, {
           domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
-          secure: true,
-          httpOnly: true,
-          sameSite: 'none',
+          ...(!process.env.NOT_SECURED
+            ? {
+                secure: true,
+                httpOnly: true,
+                sameSite: 'none',
+              }
+            : {}),
           expires: new Date(Date.now() + 1000 * 60 * 60 * 24 * 365),
         });
+
+        if (process.env.NOT_SECURED) {
+          response.header('showorg', addedOrg.organizationId);
+        }
       }
 
       response.header('onboarding', 'true');
@@ -114,20 +130,36 @@ export class AuthController {
 
       response.cookie('auth', jwt, {
         domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
-        secure: true,
-        httpOnly: true,
-        sameSite: 'none',
+        ...(!process.env.NOT_SECURED
+          ? {
+              secure: true,
+              httpOnly: true,
+              sameSite: 'none',
+            }
+          : {}),
         expires: new Date(Date.now() + 1000 * 60 * 60 * 24 * 365),
       });
 
+      if (process.env.NOT_SECURED) {
+        response.header('auth', jwt);
+      }
+
       if (typeof addedOrg !== 'boolean' && addedOrg?.organizationId) {
         response.cookie('showorg', addedOrg.organizationId, {
           domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
-          secure: true,
-          httpOnly: true,
-          sameSite: 'none',
+          ...(!process.env.NOT_SECURED
+            ? {
+                secure: true,
+                httpOnly: true,
+                sameSite: 'none',
+              }
+            : {}),
           expires: new Date(Date.now() + 1000 * 60 * 60 * 24 * 365),
         });
+
+        if (process.env.NOT_SECURED) {
+          response.header('showorg', addedOrg.organizationId);
+        }
       }
 
       response.header('reload', 'true');
@@ -178,12 +210,20 @@ export class AuthController {
 
     response.cookie('auth', activate, {
       domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
-      secure: true,
-      httpOnly: true,
-      sameSite: 'none',
+      ...(!process.env.NOT_SECURED
+        ? {
+            secure: true,
+            httpOnly: true,
+            sameSite: 'none',
+          }
+        : {}),
       expires: new Date(Date.now() + 1000 * 60 * 60 * 24 * 365),
     });
 
+    if (process.env.NOT_SECURED) {
+      response.header('auth', activate);
+    }
+
     response.header('onboarding', 'true');
     return response.status(200).send({ can: true });
   }
@@ -201,12 +241,20 @@ export class AuthController {
 
     response.cookie('auth', jwt, {
       domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
-      secure: true,
-      httpOnly: true,
-      sameSite: 'none',
+      ...(!process.env.NOT_SECURED
+        ? {
+            secure: true,
+            httpOnly: true,
+            sameSite: 'none',
+          }
+        : {}),
       expires: new Date(Date.now() + 1000 * 60 * 60 * 24 * 365),
     });
 
+    if (process.env.NOT_SECURED) {
+      response.header('auth', jwt);
+    }
+
     response.header('reload', 'true');
 
     response.status(200).json({

apps/backend/src/api/routes/public.controller.ts

@@ -101,8 +101,12 @@ export class PublicController {
     if (!req.cookies.track) {
       res.cookie('track', uniqueId, {
         domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
-        secure: true,
-        httpOnly: true,
+        ...(!process.env.NOT_SECURED
+          ? {
+              secure: true,
+              httpOnly: true,
+            }
+          : {}),
         sameSite: 'none',
         expires: new Date(Date.now() + 1000 * 60 * 60 * 24 * 365),
       });
@@ -111,8 +115,12 @@ export class PublicController {
     if (body.fbclid && !req.cookies.fbclid) {
       res.cookie('fbclid', body.fbclid, {
         domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
-        secure: true,
-        httpOnly: true,
+        ...(!process.env.NOT_SECURED
+          ? {
+              secure: true,
+              httpOnly: true,
+            }
+          : {}),
         sameSite: 'none',
         expires: new Date(Date.now() + 1000 * 60 * 60 * 24 * 365),
       });

apps/backend/src/api/routes/users.controller.ts

@@ -48,11 +48,13 @@ export class UsersController {
   async getSelf(
     @GetUserFromRequest() user: User,
     @GetOrgFromRequest() organization: Organization,
-    @Req() req: Request,
+    @Req() req: Request
   ) {
     if (!organization) {
       throw new HttpForbiddenException();
     }
+
+    const impersonate = req.cookies.impersonate || req.headers.impersonate;
     // @ts-ignore
     return {
       ...user,
@@ -67,12 +69,10 @@ export class UsersController {
       // @ts-ignore
       isLifetime: !!organization?.subscription?.isLifetime,
       admin: !!user.isSuperAdmin,
-      impersonate: !!req.cookies.impersonate,
+      impersonate: !!impersonate,
       allowTrial: organization?.allowTrial,
       // @ts-ignore
-      publicApi: organization?.users[0]?.role === 'SUPERADMIN' || organization?.users[0]?.role === 'ADMIN'
-          ? organization?.apiKey
-          : '',
+      publicApi: organization?.users[0]?.role === 'SUPERADMIN' || organization?.users[0]?.role === 'ADMIN' ? organization?.apiKey  : '',
     };
   }
 
@@ -105,11 +105,19 @@ export class UsersController {
 
     response.cookie('impersonate', id, {
       domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
-      secure: true,
-      httpOnly: true,
-      sameSite: 'none',
+      ...(!process.env.NOT_SECURED
+        ? {
+            secure: true,
+            httpOnly: true,
+            sameSite: 'none',
+          }
+        : {}),
       expires: new Date(Date.now() + 1000 * 60 * 60 * 24 * 365),
     });
+
+    if (process.env.NOT_SECURED) {
+      response.header('impersonate', id);
+    }
   }
 
   @Post('/personal')
@@ -175,42 +183,62 @@ export class UsersController {
   ) {
     response.cookie('showorg', id, {
       domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
-      secure: true,
-      httpOnly: true,
-      sameSite: 'none',
+      ...(!process.env.NOT_SECURED
+        ? {
+            secure: true,
+            httpOnly: true,
+            sameSite: 'none',
+          }
+        : {}),
       expires: new Date(Date.now() + 1000 * 60 * 60 * 24 * 365),
     });
 
+    if (process.env.NOT_SECURED) {
+      response.header('showorg', id);
+    }
+
     response.status(200).send();
   }
 
   @Post('/logout')
   logout(@Res({ passthrough: true }) response: Response) {
     response.cookie('auth', '', {
       domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
-      secure: true,
-      httpOnly: true,
+      ...(!process.env.NOT_SECURED
+        ? {
+            secure: true,
+            httpOnly: true,
+            sameSite: 'none',
+          }
+        : {}),
       maxAge: -1,
       expires: new Date(0),
-      sameSite: 'none',
     });
 
     response.cookie('showorg', '', {
       domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
-      secure: true,
-      httpOnly: true,
+      ...(!process.env.NOT_SECURED
+        ? {
+            secure: true,
+            httpOnly: true,
+            sameSite: 'none',
+          }
+        : {}),
       maxAge: -1,
       expires: new Date(0),
-      sameSite: 'none',
     });
 
     response.cookie('impersonate', '', {
       domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
-      secure: true,
-      httpOnly: true,
+      ...(!process.env.NOT_SECURED
+        ? {
+            secure: true,
+            httpOnly: true,
+            sameSite: 'none',
+          }
+        : {}),
       maxAge: -1,
       expires: new Date(0),
-      sameSite: 'none',
     });
 
     response.status(200).send();
@@ -223,22 +251,34 @@ export class UsersController {
     @GetUserFromRequest() user: User,
     @RealIP() ip: string,
     @UserAgent() userAgent: string,
-    @Body() body: { tt: TrackEnum; fbclid: string, additional: Record<string, any> }
+    @Body()
+    body: { tt: TrackEnum; fbclid: string; additional: Record<string, any> }
   ) {
     const uniqueId = req?.cookies?.track || makeId(10);
     const fbclid = req?.cookies?.fbclid || body.fbclid;
-    await this._trackService.track(uniqueId, ip, userAgent, body.tt, body.additional, fbclid, user);
+    await this._trackService.track(
+      uniqueId,
+      ip,
+      userAgent,
+      body.tt,
+      body.additional,
+      fbclid,
+      user
+    );
     if (!req.cookies.track) {
       res.cookie('track', uniqueId, {
         domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
-        secure: true,
-        httpOnly: true,
-        sameSite: 'none',
+        ...(!process.env.NOT_SECURED
+          ? {
+              secure: true,
+              httpOnly: true,
+              sameSite: 'none',
+            }
+          : {}),
         expires: new Date(Date.now() + 1000 * 60 * 60 * 24 * 365),
       });
     }
 
-    console.log('hello');
     res.status(200).json({
       track: uniqueId,
     });

apps/backend/src/main.ts

@@ -14,8 +14,13 @@ async function bootstrap() {
   const app = await NestFactory.create(AppModule, {
     rawBody: true,
     cors: {
-      credentials: true,
-      exposedHeaders: ['reload', 'onboarding', 'activate'],
+      ...(!process.env.NOT_SECURED ? { credentials: true } : {}),
+      exposedHeaders: [
+        'reload',
+        'onboarding',
+        'activate',
+        ...(process.env.NOT_SECURED ? ['auth', 'showorg', 'impersonate'] : []),
+      ],
       origin: [
         process.env.FRONTEND_URL,
         ...(process.env.MAIN_URL ? [process.env.MAIN_URL] : []),
@@ -39,8 +44,8 @@ async function bootstrap() {
 
   try {
     await app.listen(port);
-    
-    checkConfiguration() // Do this last, so that users will see obvious issues at the end of the startup log without having to scroll up.
+
+    checkConfiguration(); // Do this last, so that users will see obvious issues at the end of the startup log without having to scroll up.
 
     Logger.log(`🚀 Backend is running on: http://localhost:${port}`);
   } catch (e) {
@@ -50,17 +55,17 @@ async function bootstrap() {
 
 function checkConfiguration() {
   const checker = new ConfigurationChecker();
-  checker.readEnvFromProcess()
-  checker.check()
+  checker.readEnvFromProcess();
+  checker.check();
 
   if (checker.hasIssues()) {
     for (const issue of checker.getIssues()) {
-      Logger.warn(issue, 'Configuration issue')
+      Logger.warn(issue, 'Configuration issue');
     }
 
-    Logger.warn("Configuration issues found: " + checker.getIssuesCount())
+    Logger.warn('Configuration issues found: ' + checker.getIssuesCount());
   } else {
-    Logger.log("Configuration check completed without any issues.")
+    Logger.log('Configuration check completed without any issues.');
   }
 }