Skip to content

Commit 8b9f060

Browse files
authored
Merge pull request #574 from gitroomhq/feat/no-secured
Not secured
2 parents fc60ed4 + 6ba1ab9 commit 8b9f060

File tree

13 files changed

+356
-122
lines changed

13 files changed

+356
-122
lines changed

apps/backend/src/api/routes/auth.controller.ts

+67-19
Original file line numberDiff line numberDiff line change
@@ -31,7 +31,7 @@ export class AuthController {
3131

3232
@Get('/can-register')
3333
async canRegister() {
34-
return {register: await this._authService.canRegister()};
34+
return { register: await this._authService.canRegister() };
3535
}
3636

3737
@Post('/register')
@@ -66,20 +66,36 @@ export class AuthController {
6666

6767
response.cookie('auth', jwt, {
6868
domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
69-
secure: true,
70-
httpOnly: true,
71-
sameSite: 'none',
69+
...(!process.env.NOT_SECURED
70+
? {
71+
secure: true,
72+
httpOnly: true,
73+
sameSite: 'none',
74+
}
75+
: {}),
7276
expires: new Date(Date.now() + 1000 * 60 * 60 * 24 * 365),
7377
});
7478

79+
if (process.env.NOT_SECURED) {
80+
response.header('auth', jwt);
81+
}
82+
7583
if (typeof addedOrg !== 'boolean' && addedOrg?.organizationId) {
7684
response.cookie('showorg', addedOrg.organizationId, {
7785
domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
78-
secure: true,
79-
httpOnly: true,
80-
sameSite: 'none',
86+
...(!process.env.NOT_SECURED
87+
? {
88+
secure: true,
89+
httpOnly: true,
90+
sameSite: 'none',
91+
}
92+
: {}),
8193
expires: new Date(Date.now() + 1000 * 60 * 60 * 24 * 365),
8294
});
95+
96+
if (process.env.NOT_SECURED) {
97+
response.header('showorg', addedOrg.organizationId);
98+
}
8399
}
84100

85101
response.header('onboarding', 'true');
@@ -114,20 +130,36 @@ export class AuthController {
114130

115131
response.cookie('auth', jwt, {
116132
domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
117-
secure: true,
118-
httpOnly: true,
119-
sameSite: 'none',
133+
...(!process.env.NOT_SECURED
134+
? {
135+
secure: true,
136+
httpOnly: true,
137+
sameSite: 'none',
138+
}
139+
: {}),
120140
expires: new Date(Date.now() + 1000 * 60 * 60 * 24 * 365),
121141
});
122142

143+
if (process.env.NOT_SECURED) {
144+
response.header('auth', jwt);
145+
}
146+
123147
if (typeof addedOrg !== 'boolean' && addedOrg?.organizationId) {
124148
response.cookie('showorg', addedOrg.organizationId, {
125149
domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
126-
secure: true,
127-
httpOnly: true,
128-
sameSite: 'none',
150+
...(!process.env.NOT_SECURED
151+
? {
152+
secure: true,
153+
httpOnly: true,
154+
sameSite: 'none',
155+
}
156+
: {}),
129157
expires: new Date(Date.now() + 1000 * 60 * 60 * 24 * 365),
130158
});
159+
160+
if (process.env.NOT_SECURED) {
161+
response.header('showorg', addedOrg.organizationId);
162+
}
131163
}
132164

133165
response.header('reload', 'true');
@@ -178,12 +210,20 @@ export class AuthController {
178210

179211
response.cookie('auth', activate, {
180212
domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
181-
secure: true,
182-
httpOnly: true,
183-
sameSite: 'none',
213+
...(!process.env.NOT_SECURED
214+
? {
215+
secure: true,
216+
httpOnly: true,
217+
sameSite: 'none',
218+
}
219+
: {}),
184220
expires: new Date(Date.now() + 1000 * 60 * 60 * 24 * 365),
185221
});
186222

223+
if (process.env.NOT_SECURED) {
224+
response.header('auth', activate);
225+
}
226+
187227
response.header('onboarding', 'true');
188228
return response.status(200).send({ can: true });
189229
}
@@ -201,12 +241,20 @@ export class AuthController {
201241

202242
response.cookie('auth', jwt, {
203243
domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
204-
secure: true,
205-
httpOnly: true,
206-
sameSite: 'none',
244+
...(!process.env.NOT_SECURED
245+
? {
246+
secure: true,
247+
httpOnly: true,
248+
sameSite: 'none',
249+
}
250+
: {}),
207251
expires: new Date(Date.now() + 1000 * 60 * 60 * 24 * 365),
208252
});
209253

254+
if (process.env.NOT_SECURED) {
255+
response.header('auth', jwt);
256+
}
257+
210258
response.header('reload', 'true');
211259

212260
response.status(200).json({

apps/backend/src/api/routes/public.controller.ts

+12-4
Original file line numberDiff line numberDiff line change
@@ -101,8 +101,12 @@ export class PublicController {
101101
if (!req.cookies.track) {
102102
res.cookie('track', uniqueId, {
103103
domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
104-
secure: true,
105-
httpOnly: true,
104+
...(!process.env.NOT_SECURED
105+
? {
106+
secure: true,
107+
httpOnly: true,
108+
}
109+
: {}),
106110
sameSite: 'none',
107111
expires: new Date(Date.now() + 1000 * 60 * 60 * 24 * 365),
108112
});
@@ -111,8 +115,12 @@ export class PublicController {
111115
if (body.fbclid && !req.cookies.fbclid) {
112116
res.cookie('fbclid', body.fbclid, {
113117
domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
114-
secure: true,
115-
httpOnly: true,
118+
...(!process.env.NOT_SECURED
119+
? {
120+
secure: true,
121+
httpOnly: true,
122+
}
123+
: {}),
116124
sameSite: 'none',
117125
expires: new Date(Date.now() + 1000 * 60 * 60 * 24 * 365),
118126
});

apps/backend/src/api/routes/users.controller.ts

+66-26
Original file line numberDiff line numberDiff line change
@@ -48,11 +48,13 @@ export class UsersController {
4848
async getSelf(
4949
@GetUserFromRequest() user: User,
5050
@GetOrgFromRequest() organization: Organization,
51-
@Req() req: Request,
51+
@Req() req: Request
5252
) {
5353
if (!organization) {
5454
throw new HttpForbiddenException();
5555
}
56+
57+
const impersonate = req.cookies.impersonate || req.headers.impersonate;
5658
// @ts-ignore
5759
return {
5860
...user,
@@ -67,12 +69,10 @@ export class UsersController {
6769
// @ts-ignore
6870
isLifetime: !!organization?.subscription?.isLifetime,
6971
admin: !!user.isSuperAdmin,
70-
impersonate: !!req.cookies.impersonate,
72+
impersonate: !!impersonate,
7173
allowTrial: organization?.allowTrial,
7274
// @ts-ignore
73-
publicApi: organization?.users[0]?.role === 'SUPERADMIN' || organization?.users[0]?.role === 'ADMIN'
74-
? organization?.apiKey
75-
: '',
75+
publicApi: organization?.users[0]?.role === 'SUPERADMIN' || organization?.users[0]?.role === 'ADMIN' ? organization?.apiKey : '',
7676
};
7777
}
7878

@@ -105,11 +105,19 @@ export class UsersController {
105105

106106
response.cookie('impersonate', id, {
107107
domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
108-
secure: true,
109-
httpOnly: true,
110-
sameSite: 'none',
108+
...(!process.env.NOT_SECURED
109+
? {
110+
secure: true,
111+
httpOnly: true,
112+
sameSite: 'none',
113+
}
114+
: {}),
111115
expires: new Date(Date.now() + 1000 * 60 * 60 * 24 * 365),
112116
});
117+
118+
if (process.env.NOT_SECURED) {
119+
response.header('impersonate', id);
120+
}
113121
}
114122

115123
@Post('/personal')
@@ -175,42 +183,62 @@ export class UsersController {
175183
) {
176184
response.cookie('showorg', id, {
177185
domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
178-
secure: true,
179-
httpOnly: true,
180-
sameSite: 'none',
186+
...(!process.env.NOT_SECURED
187+
? {
188+
secure: true,
189+
httpOnly: true,
190+
sameSite: 'none',
191+
}
192+
: {}),
181193
expires: new Date(Date.now() + 1000 * 60 * 60 * 24 * 365),
182194
});
183195

196+
if (process.env.NOT_SECURED) {
197+
response.header('showorg', id);
198+
}
199+
184200
response.status(200).send();
185201
}
186202

187203
@Post('/logout')
188204
logout(@Res({ passthrough: true }) response: Response) {
189205
response.cookie('auth', '', {
190206
domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
191-
secure: true,
192-
httpOnly: true,
207+
...(!process.env.NOT_SECURED
208+
? {
209+
secure: true,
210+
httpOnly: true,
211+
sameSite: 'none',
212+
}
213+
: {}),
193214
maxAge: -1,
194215
expires: new Date(0),
195-
sameSite: 'none',
196216
});
197217

198218
response.cookie('showorg', '', {
199219
domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
200-
secure: true,
201-
httpOnly: true,
220+
...(!process.env.NOT_SECURED
221+
? {
222+
secure: true,
223+
httpOnly: true,
224+
sameSite: 'none',
225+
}
226+
: {}),
202227
maxAge: -1,
203228
expires: new Date(0),
204-
sameSite: 'none',
205229
});
206230

207231
response.cookie('impersonate', '', {
208232
domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
209-
secure: true,
210-
httpOnly: true,
233+
...(!process.env.NOT_SECURED
234+
? {
235+
secure: true,
236+
httpOnly: true,
237+
sameSite: 'none',
238+
}
239+
: {}),
211240
maxAge: -1,
212241
expires: new Date(0),
213-
sameSite: 'none',
214242
});
215243

216244
response.status(200).send();
@@ -223,22 +251,34 @@ export class UsersController {
223251
@GetUserFromRequest() user: User,
224252
@RealIP() ip: string,
225253
@UserAgent() userAgent: string,
226-
@Body() body: { tt: TrackEnum; fbclid: string, additional: Record<string, any> }
254+
@Body()
255+
body: { tt: TrackEnum; fbclid: string; additional: Record<string, any> }
227256
) {
228257
const uniqueId = req?.cookies?.track || makeId(10);
229258
const fbclid = req?.cookies?.fbclid || body.fbclid;
230-
await this._trackService.track(uniqueId, ip, userAgent, body.tt, body.additional, fbclid, user);
259+
await this._trackService.track(
260+
uniqueId,
261+
ip,
262+
userAgent,
263+
body.tt,
264+
body.additional,
265+
fbclid,
266+
user
267+
);
231268
if (!req.cookies.track) {
232269
res.cookie('track', uniqueId, {
233270
domain: getCookieUrlFromDomain(process.env.FRONTEND_URL!),
234-
secure: true,
235-
httpOnly: true,
236-
sameSite: 'none',
271+
...(!process.env.NOT_SECURED
272+
? {
273+
secure: true,
274+
httpOnly: true,
275+
sameSite: 'none',
276+
}
277+
: {}),
237278
expires: new Date(Date.now() + 1000 * 60 * 60 * 24 * 365),
238279
});
239280
}
240281

241-
console.log('hello');
242282
res.status(200).json({
243283
track: uniqueId,
244284
});

apps/backend/src/main.ts

+14-9
Original file line numberDiff line numberDiff line change
@@ -14,8 +14,13 @@ async function bootstrap() {
1414
const app = await NestFactory.create(AppModule, {
1515
rawBody: true,
1616
cors: {
17-
credentials: true,
18-
exposedHeaders: ['reload', 'onboarding', 'activate'],
17+
...(!process.env.NOT_SECURED ? { credentials: true } : {}),
18+
exposedHeaders: [
19+
'reload',
20+
'onboarding',
21+
'activate',
22+
...(process.env.NOT_SECURED ? ['auth', 'showorg', 'impersonate'] : []),
23+
],
1924
origin: [
2025
process.env.FRONTEND_URL,
2126
...(process.env.MAIN_URL ? [process.env.MAIN_URL] : []),
@@ -39,8 +44,8 @@ async function bootstrap() {
3944

4045
try {
4146
await app.listen(port);
42-
43-
checkConfiguration() // Do this last, so that users will see obvious issues at the end of the startup log without having to scroll up.
47+
48+
checkConfiguration(); // Do this last, so that users will see obvious issues at the end of the startup log without having to scroll up.
4449

4550
Logger.log(`🚀 Backend is running on: http://localhost:${port}`);
4651
} catch (e) {
@@ -50,17 +55,17 @@ async function bootstrap() {
5055

5156
function checkConfiguration() {
5257
const checker = new ConfigurationChecker();
53-
checker.readEnvFromProcess()
54-
checker.check()
58+
checker.readEnvFromProcess();
59+
checker.check();
5560

5661
if (checker.hasIssues()) {
5762
for (const issue of checker.getIssues()) {
58-
Logger.warn(issue, 'Configuration issue')
63+
Logger.warn(issue, 'Configuration issue');
5964
}
6065

61-
Logger.warn("Configuration issues found: " + checker.getIssuesCount())
66+
Logger.warn('Configuration issues found: ' + checker.getIssuesCount());
6267
} else {
63-
Logger.log("Configuration check completed without any issues.")
68+
Logger.log('Configuration check completed without any issues.');
6469
}
6570
}
6671

0 commit comments

Comments
 (0)