feat: make secure attribute of session cookie configurable (#49)

re-mxp · web-flow · commit 9c03dd3e59e5 · 2022-11-30T12:42:58.000+01:00
* Updated readme with configurable secure attribute info

* Make secure attribute for session cookie configurable
diff --git a/README.md b/README.md
@@ -212,6 +212,8 @@ Here's what the full _default_ module configuration looks like:
     storePrefix: 'sessions',
     // The session cookie same site policy is `lax`
     cookieSameSite: 'lax',
+    // `Secure` attribute of session cookie is set to `true`
+    cookieSecure: true,
     // In-memory storage is used (these are `unjs/unstorage` options)
     storageOptions: {
         driver: 'memory',
diff --git a/src/module.ts b/src/module.ts
@@ -18,6 +18,7 @@ const defaults: FilledModuleOptions = {
     idLength: 64,
     storePrefix: 'sessions',
     cookieSameSite: 'lax',
+    cookieSecure: true,
     storageOptions: {
       driver: 'memory',
       options: {}
diff --git a/src/runtime/server/middleware/session/index.ts b/src/runtime/server/middleware/session/index.ts
@@ -11,8 +11,8 @@ const SESSION_COOKIE_NAME = 'sessionId'
 const safeSetCookie = (event: H3Event, name: string, value: string) => setCookie(event, name, value, {
   // Max age of cookie in seconds
   maxAge: useRuntimeConfig().session.session.expiryInSeconds,
-  // Only send cookie via HTTPs to mitigate man-in-the-middle attacks
-  secure: true,
+  // Wether to send cookie via HTTPs to mitigate man-in-the-middle attacks
+  secure: useRuntimeConfig().session.session.cookieSecure,
   // Only send cookie via HTTP requests, do not allow access of cookie from JS to mitigate XSS attacks
   httpOnly: true,
   // Do not send cookies on many cross-site requests to mitigates CSRF and cross-site attacks, see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite#lax
diff --git a/src/types.ts b/src/types.ts
@@ -57,6 +57,14 @@ export interface SessionOptions {
    * @docs https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
    */
   cookieSameSite: SameSiteOptions
+  /**
+   * Wether to set the `Secure` attribute for the session cookie
+   * @default true
+   * @example false
+   * @type boolean
+   * @docs https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies
+   */
+  cookieSecure: boolean
   /**
    * Driver configuration for session-storage. Per default in-memory storage is used
    * @default { driver: 'memory', options: {} }
