fix: enable secure cookies if app url starts with https

Author: stonith404

backend/src/auth/auth.controller.ts

@@ -173,11 +173,17 @@ export class AuthController {
     @Res({ passthrough: true }) response: Response,
   ) {
     await this.authService.signOut(request.cookies.access_token);
-    response.cookie("access_token", "accessToken", { maxAge: -1 });
+
+    const isSecure = this.config.get("general.appUrl").startsWith("https");
+    response.cookie("access_token", "accessToken", {
+      maxAge: -1,
+      secure: isSecure,
+    });
     response.cookie("refresh_token", "", {
       path: "/api/auth/token",
       httpOnly: true,
       maxAge: -1,
+      secure: isSecure,
     });
   }
 

backend/src/auth/auth.service.ts

@@ -272,16 +272,19 @@ export class AuthService {
     refreshToken?: string,
     accessToken?: string,
   ) {
+    const isSecure = this.config.get("general.appUrl").startsWith("https");
     if (accessToken)
       response.cookie("access_token", accessToken, {
         sameSite: "lax",
+        secure: isSecure,
         maxAge: 1000 * 60 * 60 * 24 * 30 * 3, // 3 months
       });
     if (refreshToken)
       response.cookie("refresh_token", refreshToken, {
         path: "/api/auth/token",
         httpOnly: true,
         sameSite: "strict",
+        secure: isSecure,
         maxAge: 1000 * 60 * 60 * this.config.get("general.sessionDuration"),
       });
   }

backend/src/user/user.controller.ts

@@ -19,10 +19,14 @@ import { UpdateOwnUserDTO } from "./dto/updateOwnUser.dto";
 import { UpdateUserDto } from "./dto/updateUser.dto";
 import { UserDTO } from "./dto/user.dto";
 import { UserSevice } from "./user.service";
+import { ConfigService } from "../config/config.service";
 
 @Controller("users")
 export class UserController {
-  constructor(private userService: UserSevice) {}
+  constructor(
+    private userService: UserSevice,
+    private config: ConfigService,
+  ) {}
 
   // Own user operations
   @Get("me")
@@ -49,11 +53,17 @@ export class UserController {
     @GetUser() user: User,
     @Res({ passthrough: true }) response: Response,
   ) {
-    response.cookie("access_token", "accessToken", { maxAge: -1 });
+    const isSecure = this.config.get("general.appUrl").startsWith("https");
+
+    response.cookie("access_token", "accessToken", {
+      maxAge: -1,
+      secure: isSecure,
+    });
     response.cookie("refresh_token", "", {
       path: "/api/auth/token",
       httpOnly: true,
       maxAge: -1,
+      secure: isSecure,
     });
     return new UserDTO().from(await this.userService.delete(user.id));
   }