From 74b9fa407fbc5b3a76e81695479ba8161f118155 Mon Sep 17 00:00:00 2001
From: Esinko <34211401+Esinko@users.noreply.github.com>
Date: Wed, 21 Dec 2022 21:38:08 +0200
Subject: [PATCH] fix: use variables in session cookie settings and set
 httpOnly

Glad our members strive for better security!
---
 components/Login/Login.js | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/components/Login/Login.js b/components/Login/Login.js
index e09ec47f..519615be 100644
--- a/components/Login/Login.js
+++ b/components/Login/Login.js
@@ -11,6 +11,12 @@ const DynamicTestausid = dynamic(() => import('@testausserveri/react-testausid')
 import FadeIn from 'react-fade-in';
 import { apiServer } from '../../utils/api';
 
+// Which domain and path can access the session cookie
+const allowedDomain = "api.testausserveri.fi"
+const allowedPath = "/"
+
+const cookieRegex = new RegExp(`code=(.{1,}|);( |)domain=${allowedDomain.replace(/\./g, "\\.")};( |)secure;( |)httpOnly( |);path=${allowedPath.replace(/\//g, "\\/")}(;|$)`, "i")
+
 export function LoginDialog({ onClose }) {
     const accept = [
       'members',
@@ -38,8 +44,8 @@ export function LoginDialog({ onClose }) {
           }
         }).then(async res => {
           if (res.status === 200) {
-            if (document.cookie.includes("code=")) document.cookie = document.cookie.replace(/code=(.{1,}|);( |)domain=api\.testausserveri\.fi;( |)path=\/(;|$)/, "")
-            document.cookie += `code=${await res.text()};domain=api.testausserveri.fi;path=/;` // Note: when modifying the domain here, do not forget to change the regex above
+            if (document.cookie.includes("code=")) document.cookie = document.cookie.replace(cookieRegex, "")
+            document.cookie += `code=${await res.text()};Domain=${allowedDomain};Path=${allowedPath};Secure;HttpOnly;`
             window.location.href = `${apiServer}/v1/members`
           }
           else console.error("Failed to login.") // TODO: display to user