From 1eb0bdb4ae91822bf19125703d8b3f17e6b54174 Mon Sep 17 00:00:00 2001 From: Colin Darie Date: Wed, 3 Jul 2024 11:04:16 +0200 Subject: [PATCH] chore: cookies with "secure" flag (only transmitted through https) --- app/controllers/agent_connect/agent_controller.rb | 4 ++-- app/controllers/application_controller.rb | 2 +- .../application_controller/long_lived_authenticity_token.rb | 3 ++- app/controllers/instructeurs/procedures_controller.rb | 3 ++- app/models/concerns/trusted_device_concern.rb | 3 ++- config/initializers/session_store.rb | 2 +- 6 files changed, 10 insertions(+), 7 deletions(-) diff --git a/app/controllers/agent_connect/agent_controller.rb b/app/controllers/agent_connect/agent_controller.rb index 6116b1f2b..cd42e6f16 100644 --- a/app/controllers/agent_connect/agent_controller.rb +++ b/app/controllers/agent_connect/agent_controller.rb @@ -12,8 +12,8 @@ class AgentConnect::AgentController < ApplicationController def login uri, state, nonce = AgentConnectService.authorization_uri - cookies.encrypted[STATE_COOKIE_NAME] = state - cookies.encrypted[NONCE_COOKIE_NAME] = nonce + cookies.encrypted[STATE_COOKIE_NAME] = { value: state, secure: Rails.env.production? } + cookies.encrypted[NONCE_COOKIE_NAME] = { value: nonce, secure: Rails.env.production? } redirect_to uri, allow_other_host: true end diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index bc172fe47..2771bf78f 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -117,7 +117,7 @@ class ApplicationController < ActionController::Base def set_locale(locale) if locale && locale.to_sym.in?(I18n.available_locales) - cookies[:locale] = locale + cookies[:locale] = { value: locale, secure: Rails.env.production? } if user_signed_in? current_user.update(locale: locale) end diff --git a/app/controllers/application_controller/long_lived_authenticity_token.rb b/app/controllers/application_controller/long_lived_authenticity_token.rb index cb10c52bd..54eb16f31 100644 --- a/app/controllers/application_controller/long_lived_authenticity_token.rb +++ b/app/controllers/application_controller/long_lived_authenticity_token.rb @@ -24,7 +24,8 @@ module ApplicationController::LongLivedAuthenticityToken cookies.signed[COOKIE_NAME] = { value: csrf_token, expires: 1.year.from_now, - httponly: true + httponly: true, + secure: Rails.env.production? } session[:_csrf_token] = csrf_token diff --git a/app/controllers/instructeurs/procedures_controller.rb b/app/controllers/instructeurs/procedures_controller.rb index 2b8702cf3..6c8326050 100644 --- a/app/controllers/instructeurs/procedures_controller.rb +++ b/app/controllers/instructeurs/procedures_controller.rb @@ -248,7 +248,8 @@ module Instructeurs @export_templates = current_instructeur.export_templates_for(@procedure).includes(:groupe_instructeur) cookies.encrypted[cookies_export_key] = { value: DateTime.current, - expires: Export::MAX_DUREE_GENERATION + Export::MAX_DUREE_CONSERVATION_EXPORT + expires: Export::MAX_DUREE_GENERATION + Export::MAX_DUREE_CONSERVATION_EXPORT, + secure: Rails.env.production? } respond_to do |format| diff --git a/app/models/concerns/trusted_device_concern.rb b/app/models/concerns/trusted_device_concern.rb index 2aa895893..1765f565c 100644 --- a/app/models/concerns/trusted_device_concern.rb +++ b/app/models/concerns/trusted_device_concern.rb @@ -8,7 +8,8 @@ module TrustedDeviceConcern cookies.encrypted[TRUSTED_DEVICE_COOKIE_NAME] = { value: JSON.generate({ created_at: start_at }), expires: start_at + TRUSTED_DEVICE_PERIOD, - httponly: true + httponly: true, + secure: Rails.env.production? } end diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb index f110f4cb3..96e2b62b5 100644 --- a/config/initializers/session_store.rb +++ b/config/initializers/session_store.rb @@ -1,3 +1,3 @@ # Be sure to restart your server when you modify this file. -Rails.application.config.session_store :cookie_store, key: '_DS_session' +Rails.application.config.session_store :cookie_store, key: '_DS_session', secure: Rails.env.production?