security: when served over https, set the "secure" flag for "express_sid" and "language" cookie

The mechanism used for determining if the application is being served over SSL is wrapped by the "express-session" library for "express_sid", and manual for the "language" cookie, but it's very similar in both cases. The "secure" flag is set if one of these is true: 1. we are directly serving Etherpad over SSL using the native nodejs functionality, via the "ssl" options in settings.json 2. Etherpad is being served in plaintext by nodejs, but we are using a reverse proxy for terminating the SSL for us; In this case, the user has to be instructed to properly set trustProxy: true in settings.json, and the information wheter the application is over SSL or not will be extracted from the X-Forwarded-Proto HTTP header. Please note that this will not be compatible with applications being served over http and https at the same time. The change on webaccess.js amends 009b61b338, which did not work when the SSL termination was performed by a reverse proxy. Reference for automatic "express_sid" configuration: https://github.com/expressjs/session/blob/v1.17.0/README.md#cookiesecure Closes #3561.
2025-04-23 08:56:17 -04:00 · 2019-12-07 04:36:01 +01:00 · 2019-12-07 04:36:01 +01:00 · a817acbbcc
commit a817acbbcc
parent b82816c774
6 changed files with 54 additions and 3 deletions
--- a/src/node/hooks/express/specialpages.js
+++ b/src/node/hooks/express/specialpages.js
@ -45,7 +45,24 @@ exports.expressCreateServer = function (hook_name, args, cb) {
    // Or if language cookie doesn't exist
    if (req.cookies.language === undefined)
    {
-      res.cookie('language', settings.padOptions.lang);
+      cookieOptions = {
+        /* req.protocol may be 'https' because either:
+         *
+         * 1. we are directly serving the nodejs application over SSL, using
+         *    the "ssl" options in settings.json
+         *
+         * 2. we are serving the nodejs application in plaintext, but we are
+         *    using a reverse proxy that terminates SSL for us. In this case,
+         *    the user has to set trustProxy = true in settings.json, and thus
+         *    req.protocol will reflect the value of the X-Forwarded-Proto HTTP
+         *    header
+         *
+         * Please note that this will not be compatible with applications being
+         * served over http and https at the same time.
+         */
+        secure: (req.protocol === 'https'),
+      }
+      res.cookie('language', settings.padOptions.lang, cookieOptions);
    }

    // The below might break for pads being rewritten
--- a/src/node/hooks/express/webaccess.js
+++ b/src/node/hooks/express/webaccess.js
@ -131,7 +131,27 @@ exports.expressConfigure = function (hook_name, args, cb) {
    name: 'express_sid',
    proxy: true,
    cookie: {
-      secure: !!settings.ssl,
+      /*
+       * The automatic express-session mechanism for determining if the
+       * application is being served over ssl is similar to the one used for
+       * setting the language cookie, which check if one of these conditions is
+       * true:
+       *
+       * 1. we are directly serving the nodejs application over SSL, using the
+       *    "ssl" options in settings.json
+       *
+       * 2. we are serving the nodejs application in plaintext, but we are using
+       *    a reverse proxy that terminates SSL for us. In this case, the user
+       *    has to set trustProxy = true in settings.json, and the information
+       *    wheter the application is over SSL or not will be extracted from the
+       *    X-Forwarded-Proto HTTP header
+       *
+       * Please note that this will not be compatible with applications being
+       * served over http and https at the same time.
+       *
+       * reference: https://github.com/expressjs/session/blob/v1.17.0/README.md#cookiesecure
+       */
+      secure: 'auto',
    }
  }));