Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Session cookie sameSite option #2861

Merged
merged 4 commits into from
Apr 30, 2020
Merged

Session cookie sameSite option #2861

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
44c7e69
Session cookie sameSite option
ropaolle Mar 29, 2020
c1bcfde
Fix README example
timleslie Apr 30, 2020
2efdf4f
Fix docs
timleslie Apr 30, 2020
10eb10c
Merge branch 'master' into cookie-same-site
MadeByMike Apr 30, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 29 additions & 0 deletions .changeset/purple-poets-heal.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
---
'@keystonejs/keystone': major
'@keystonejs/session': major
---

Moved the cookie configuration from individual options to an object which is passed directly to the express-session middleware.
Previously you could only set `secure` and `maxAge` via `secureCookies` and `cookieMaxAge`.
These options have been removed.
You can now set a config option called `cookie` which can contain `secure` and `maxAge`, as well as `domain`, `expires`, `httpOnly`, `path` and `sameSite`.

The `sameSite` option is now explicitly defaulted to `false`.

See the [express-session middleware docs](https://github.com/expressjs/session#cookie) for more details on these options..

#### Default

```javascript
const keystone = new Keystone({
cookie: {
// domain: undefined,
// expires: undefined,
// httpOnly: true,
maxAge: 1000 * 60 * 60 * 24 * 30, // 30 days
sameSite: false,
// path: '/',
secure: process.env.NODE_ENV === 'production', // Defaults to true in production
},
});
```
4 changes: 3 additions & 1 deletion docs/guides/heroku.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -112,7 +112,9 @@ To use secure cookies we need to add below to index.js.
```js
const keystone = new Keystone({
...
secureCookies: true,
cookie: {
secure: true,
},
cookieSecret: 'very-secret'
});

Expand Down
12 changes: 11 additions & 1 deletion docs/guides/production.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,17 @@ Yes, Keystone can be (and is!) used for production websites. Here's a handy list

## Secure cookies

In production builds, [Keystone's `secureCookies`](/packages/keystone/README.md#config) defaults to true. Make sure your server is HTTPS-enabled when `secureCookies` is enabled or you will be unable to log in.
In production builds, [Keystone's `cookie` object](/packages/keystone/README.md#config) defaults to

```js
cookie = {
secure: process.env.NODE_ENV === 'production', // Defaults to true in production
maxAge: 1000 * 60 * 60 * 24 * 30, // 30 days
sameSite: false,
};
```

Make sure your server is HTTPS-enabled when `secure` is enabled or you will be unable to log in.

## Session handling

Expand Down
20 changes: 10 additions & 10 deletions packages/fields/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,17 +51,17 @@ keystone.createList('Post', {

Fields share some standard configuration options.

| Option | Type | Default | Description |
| -------------- | ----------------------------------- | ----------- | --------------------------------------------------------------------------------------- |
| `type` | `FieldType` | (required) | |
| `adminDoc` | `String` | `false` | A description for the field used in the AdminUI. |
| `schemaDoc` | `String` | `false` | A description for the field used in the GraphQL schema. |
| Option | Type | Default | Description |
| -------------- | ----------------------------------- | ----------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- |
| `type` | `FieldType` | (required) | |
| `adminDoc` | `String` | `false` | A description for the field used in the AdminUI. |
| `schemaDoc` | `String` | `false` | A description for the field used in the GraphQL schema. |
| `defaultValue` | `Any` \| `Function` | `undefined` | A valid default value for the field type. Functions must return a valid value. Use `undefined` to set no default, and `null` to set an empty default. |
| `isUnique` | `Boolean` | `false` | Whether or not the field should be unique. |
| `isRequired` | `Boolean` | `false` | Whether or not the field should be mandatory. |
| `access` | `Boolean` \| `Function` \| `Object` | `true` | See: [Access control](https://keystonejs.com/guides/access-control) options for fields. |
| `label` | `String` | | Label for the field. |
| `adminConfig` | `Object` | `{}` | Additional config which can be used when customizing `admin-ui` |
| `isUnique` | `Boolean` | `false` | Whether or not the field should be unique. |
| `isRequired` | `Boolean` | `false` | Whether or not the field should be mandatory. |
| `access` | `Boolean` \| `Function` \| `Object` | `true` | See: [Access control](https://keystonejs.com/guides/access-control) options for fields. |
| `label` | `String` | | Label for the field. |
| `adminConfig` | `Object` | `{}` | Additional config which can be used when customizing `admin-ui` |

> **Note:** Many field types have additional config options. See the documentation for individual field types for more detail.

Expand Down
27 changes: 22 additions & 5 deletions packages/keystone/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,14 +23,12 @@ const keystone = new Keystone({
| `adapter` | `Object` | Required | The database storage adapter. See the [Adapter framework](https://keystonejs.com/keystonejs/keystone/lib/adapters/) docs for more details. |
| `adapters` | `Object` | `undefined` | A list of named database adapters. Use the format `{ name: adapterObject }`. |
| `appVersion` | `Object` | See [`appVersion`](#appversion) | Configure the application version and where it is made available. |
| `cookieMaxAge` | `Int` | 30 days | The maximum time, in milliseconds, session ID cookies remain valid. |
| `cookieSecret` | `String` | `qwerty` | The secret used to sign session ID cookies. Should be long and unguessable. Don't use this default in production! |
timleslie marked this conversation as resolved.
Show resolved Hide resolved
| `cookie` | `Object` | See: [`cookie`](#cookie) | Cookie object used to configure the [express-session middleware](https://github.com/expressjs/session#cookie). |
| `defaultAccess` | `Object` | `undefined` | Default list, field, and custom schema access. See the [Access control API](https://www.keystonejs.com/api/access-control) docs for more details. |
| `defaultAdapter` | `String` | `undefined` | The name of the database adapter to use by default if multiple are provided. |
| `name` | `String` | `undefined` | The name of the project. Appears in the Admin UI. |
| `onConnect` | `Function` | `undefined` | Callback that executes once `keystone.connect()` complete. Takes no arguments. |
| `queryLimits` | `Object` | `{}` | Configures global query limits |
| `secureCookies` | `Boolean` | Variable | Defaults to true in production mode, false otherwise. See [`secureCookies`](#securecookies) for important details. |
| `sessionStore` | `Object` | `undefined` | A compatible Express session middleware. |
| `schemaNames` | `Array` | `['public']` | |

Expand Down Expand Up @@ -75,12 +73,31 @@ const keystone = new Keystone({

Note that `maxTotalResults` applies to the total results of all relationship queries separately, even if some are nested inside others.

### `secureCookies`
### `cookie`

A secure cookie is only sent to the server with an encrypted request over the HTTPS protocol. If `secureCookies` is set to true (as is the default with a **production** build) for a Keystone project running on a non-HTTPS server (such as localhost), you will **not** be able to log in. In that case, be sure you set `secureCookies` to false. This does not affect development builds since this value is already false.
_**Default:**_ see Usage.

A description of the cookie properties is included in the [express-session documentation](https://github.com/expressjs/session#cookie).

#### `secure`

A secure cookie is only sent to the server with an encrypted request over the HTTPS protocol. If `secure` is set to true (as is the default with a **production** build) for a KeystoneJS project running on a non-HTTPS server (such as localhost), you will **not** be able to log in. In that case, be sure you set `secure` to false. This does not affect development builds since this value is already false.

You can read more about secure cookies on the [MDN web docs](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#Secure_and_HttpOnly_cookies).

#### Usage

```javascript
const keystone = new Keystone({
/* ...config */
cookie: {
secure: process.env.NODE_ENV === 'production', // Default to true in production
maxAge: 1000 * 60 * 60 * 24 * 30, // 30 days
sameSite: false,
},
});
```

### `sessionStore`

Sets the Express server's [session middleware](https://github.com/expressjs/session). This should be configured before deploying your app.
Expand Down
10 changes: 6 additions & 4 deletions packages/keystone/lib/Keystone/index.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,8 +45,11 @@ module.exports = class Keystone {
cookieSecret = 'qwerty',
sessionStore,
queryLimits = {},
secureCookies = process.env.NODE_ENV === 'production', // Default to true in production
cookieMaxAge = 1000 * 60 * 60 * 24 * 30, // 30 days
cookie = {
secure: process.env.NODE_ENV === 'production', // Default to true in production
maxAge: 1000 * 60 * 60 * 24 * 30, // 30 days
sameSite: false,
},
schemaNames = ['public'],
appVersion = {
version: '1.0.0',
Expand All @@ -63,8 +66,7 @@ module.exports = class Keystone {
this._schemas = {};
this._sessionManager = new SessionManager({
cookieSecret,
secureCookies,
cookieMaxAge,
cookie,
sessionStore,
});
this.eventHandlers = { onConnect };
Expand Down
12 changes: 3 additions & 9 deletions packages/session/lib/session.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,15 +3,9 @@ const expressSession = require('express-session');
const cookie = require('cookie');

class SessionManager {
constructor({
cookieSecret = 'qwerty',
secureCookies = process.env.NODE_ENV === 'production', // Default to true in production
cookieMaxAge = 1000 * 60 * 60 * 24 * 30, // 30 days
sessionStore,
}) {
constructor({ cookieSecret = 'qwerty', cookie, sessionStore }) {
this._cookieSecret = cookieSecret;
this._secureCookies = secureCookies;
this._cookieMaxAge = cookieMaxAge;
this._cookie = cookie;
this._sessionStore = sessionStore;
}

Expand Down Expand Up @@ -63,7 +57,7 @@ class SessionManager {
resave: false,
saveUninitialized: false,
name: COOKIE_NAME,
cookie: { secure: this._secureCookies, maxAge: this._cookieMaxAge },
cookie: this._cookie,
store: this._sessionStore,
});

Expand Down