feat: securing the cookies

refactor: utilizing cool options for nginx
2023-10-09 04:22:09 +00:00 · 2023-10-09 03:17:47 +00:00
4 changed files with 40 additions and 10 deletions
--- a/auth-notes.org
+++ b/auth-notes.org
@ -184,7 +184,7 @@ now works
 because front-end is setting up js 'new PocketBase' with 127.0.0.1 connection
 *** adding a custom flag:
 https://github.com/pocketbase/pocketbase/discussions/1900
-** TODO change some additional config to option :
+** DONE change some additional config to option :
      ${optionalString config.proxyWebsockets ''
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
@ -192,13 +192,29 @@ https://github.com/pocketbase/pocketbase/discussions/1900
      ''}
 ( also in planning poker repo )

+https://github.com/NixOS/nixpkgs/blob/nixos-23.05/nixos/modules/services/web-servers/nginx/default.nix#L428


 ** TODO add docker image from nix
 *** CANCELLED add cli for port and host
 ** TODO add readme and comments
-** TODO configure tls / ssl / https on franzk deployment
+** DONE configure tls / ssl / https on franzk deployment
+https://nixos.org/manual/nixos/stable/#module-security-acme-nginx
+( and also same here https://nixos.wiki/wiki/Nginx )
+
 can it be configured on render.com?
+omg
+line 112 & 113 in project config:
+http://git.sunshine.industries/efim/go-ssr-pocketbase-oauth-attempt/commit/875de35177462f21732e3ba108a94d77a543da05
+
+and this in my server config:
+https://github.com/efim/dotfiles/commit/b3695148082d8c9850a781aaa7a88920bdb1fa7f
+
+this is all that's needed to enable tls
+mind blown
+** DONE somehow set cookie to httpOnly & secure
+with ability to disable for development session
+
 ** TODO maybe add middleware so that 401 would be a page, and not json
 ** TODO get icons for the auth providers. surely they are accessible from the pocketbase itself?
 http://localhost:8090/_/images/oauth2/apple.svg
--- a/flake.nix
+++ b/flake.nix
@ -114,10 +114,9 @@
                  locations."/" = {
                    proxyPass = "http://127.0.0.1:${toString cfg.port}";
                    # taken from https://pocketbase.io/docs/going-to-production/
+                    proxyWebsockets = true;
                    extraConfig = ''
                      # check http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive
-                      proxy_set_header Connection ''';
-                      proxy_http_version 1.1;
                      proxy_read_timeout 360s;

                      proxy_set_header Host $host;
--- a/main.go
+++ b/main.go
@ -2,6 +2,7 @@ package main

 import (
 	"log"
+	"strings"

 	"github.com/pocketbase/pocketbase"
 	"sunshine.industries/auth-pocketbase-attempt/middleware"
@ -10,7 +11,11 @@ import (

 func main() {
 	app := pocketbase.New()
-	middleware.AddCookieSessionMiddleware(app)
+
+	servedName := app.Settings().Meta.AppUrl
+	isTlsEnabled := strings.HasPrefix(servedName, "https://")
+
+	middleware.AddCookieSessionMiddleware(app, isTlsEnabled)
 	pages.AddPageRoutes(app)

    if err := app.Start(); err != nil {
--- a/middleware/auth.go
+++ b/middleware/auth.go
@ -1,7 +1,9 @@
 package middleware

 import (
+	"log"
 	"net/http"
+
 	"github.com/labstack/echo/v5"
 	"github.com/pocketbase/pocketbase"
 	"github.com/pocketbase/pocketbase/apis"
@ -13,7 +15,9 @@ import (

 const AuthCookieName = "Auth"

-func AddCookieSessionMiddleware(app *pocketbase.PocketBase) {
+func AddCookieSessionMiddleware(app *pocketbase.PocketBase, isTlsEnabled bool) {
+	log.Println("Warning: starting server with cookie Secure = false!")
+
 	app.OnBeforeServe().Add(func(e *core.ServeEvent) error {
 		e.Router.Use(loadAuthContextFromCookie(app))
 		return nil
@ -25,6 +29,8 @@ func AddCookieSessionMiddleware(app *pocketbase.PocketBase) {
 			Name: AuthCookieName,
 			Value: e.Token,
 			Path: "/",
+			Secure: isTlsEnabled,
+			HttpOnly: true,
 		})
 		e.HttpContext.SetCookie(&http.Cookie{
 			Name: "username",
@ -37,10 +43,12 @@ func AddCookieSessionMiddleware(app *pocketbase.PocketBase) {
 			Name: AuthCookieName,
 			Value: e.Token,
 			Path: "/",
+			Secure: isTlsEnabled,
+			HttpOnly: true,
 		})
        return nil
    })
-	app.OnBeforeServe().Add(getLogoutRoute(app))
+	app.OnBeforeServe().Add(getLogoutRoute(app, isTlsEnabled))
 }

 func loadAuthContextFromCookie(app core.App) echo.MiddlewareFunc {
@ -84,7 +92,7 @@ func loadAuthContextFromCookie(app core.App) echo.MiddlewareFunc {
 }

 // render and return login page with configured oauth providers
-func getLogoutRoute(app *pocketbase.PocketBase)  func(*core.ServeEvent) error {
+func getLogoutRoute(app *pocketbase.PocketBase, isTlsEnabled bool)  func(*core.ServeEvent) error {
 	return func (e *core.ServeEvent) error {
 		e.Router.GET("/logout", func(c echo.Context) error {
 			c.SetCookie(&http.Cookie{
@ -92,6 +100,8 @@ func getLogoutRoute(app *pocketbase.PocketBase)  func(*core.ServeEvent) error {
 				Value: "",
 				Path: "/",
 				MaxAge: -1,
+				Secure: isTlsEnabled,
+				HttpOnly: true,
 			})
 			c.Response().Header().Add("HX-Trigger", "auth-change-event")
 			return c.JSON(http.StatusOK, map[string]string{"message": "session cookie removed"})
Author	SHA1	Message	Date
efim	2a3d00839f	feat: securing the cookies	2023-10-09 04:22:09 +00:00
efim	e4c79b2155	refactor: utilizing cool options for nginx	2023-10-09 03:17:47 +00:00