Merge pull request #1193 from jembi/fix/cookie-proxy

fix: trust proxy ssl to forward session cookie

Author: michaelloosen

config/config.md

@@ -46,6 +46,10 @@ The following config option are provided by the OpenHIM. All of these options ha
     // The session secret key used for the hashing of signed cookie (used to detect if the client modified the cookie)
     // Signed cookie is another cookie of the same name with the .sig suffix appended
     "sessionKey": "r8q,+&1LM3)CD*zAGpx1xm{NeQhc;#",
+    // If OpenHIM is behind a proxy (should be `true` if the proxy sends relevant Forwarded headers)
+    "trustProxy": false,
+    // Secure the cookie (either protocol is https or trusting a secured proxy)
+    secureCookie: true,
     // The session max age is the session cookie expiration time (in milliseconds)
     "maxAge": 7200000,
     // The number of characters that will be used to generate a random salt for the encryption of passwords

config/default.json

@@ -33,6 +33,8 @@
   },
   "api": {
     "sessionKey": "r8q,+&1LM3)CD*zAGpx1xm{NeQhc;#",
+    "trustProxy": false,
+    "secureCookie": true,
     "maxAge": 7200000,
     "salt": 10,
     "enabled": true,

package.json

@@ -1,7 +1,7 @@
 {
   "name": "openhim-core",
   "description": "The OpenHIM core application that provides logging and routing of http requests",
-  "version": "7.2.1",
+  "version": "7.3.0",
   "main": "./lib/server.js",
   "bin": {
     "openhim-core": "./bin/openhim-core.js"

src/koaApi.js

@@ -40,12 +40,17 @@ export function setupApp(done) {
 
   // Configure Sessions Middleware
   app.keys = [config.api.sessionKey]
+  
+  if (config.api.trustProxy) {
+    app.proxy = true
+  }
+  
   app.use(
     session(
       {
         maxAge: config.api.maxAge || 7200000,
         resave: false,
-        secure: true,
+        secure: config.api.secureCookie,
         httpOnly: true,
         sameSite: 'none',
         store: new MongooseStore()