From 6463699c6c9f4cdb8eb6dc978fb66dc0986577ca Mon Sep 17 00:00:00 2001
From: Morgan Ney <morganney@gmail.com>
Date: Thu, 14 Dec 2023 09:47:58 -0600
Subject: [PATCH] fix: secure cookie configs.

---
 packages/api/src/handlers/authn.ts           | 8 ++++++++
 packages/api/src/index.ts                    | 1 +
 packages/web/certs/README.md                 | 2 +-
 packages/web/templates/default.conf.template | 1 +
 4 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/packages/api/src/handlers/authn.ts b/packages/api/src/handlers/authn.ts
index 701d87a..81597bd 100644
--- a/packages/api/src/handlers/authn.ts
+++ b/packages/api/src/handlers/authn.ts
@@ -79,6 +79,14 @@ const authn = {
                 expires: req.session.cookie.expires
               }
 
+              /**
+               * Doesn't seem necessary atm since the session
+               * is currently being saved to the store at the
+               * end of the HTTP response, however, consider
+               * using `req.session.regenerate` and `req.session.save`
+               * as exemplified in the documentation:
+               * @see https://www.npmjs.com/package/express-session#user-login
+               */
               debug('setting user to session', sessUser)
               req.session.user = sessUser
               debug('setting session user ID', user.id)
diff --git a/packages/api/src/index.ts b/packages/api/src/index.ts
index bda3fd7..140fffd 100644
--- a/packages/api/src/index.ts
+++ b/packages/api/src/index.ts
@@ -25,6 +25,7 @@ const sess: SessionOptions = {
   resave: false,
   saveUninitialized: false,
   unset: 'destroy',
+  proxy: true,
   cookie: {
     maxAge: SESSION_DURATION_MS,
     httpOnly: true,
diff --git a/packages/web/certs/README.md b/packages/web/certs/README.md
index e4b2566..a45e456 100644
--- a/packages/web/certs/README.md
+++ b/packages/web/certs/README.md
@@ -2,7 +2,7 @@
 
 1. Install [mkcert](https://github.com/FiloSottile/mkcert#installation).
 2. `mkcert -install`.
-3. `mkcert busmap.localhost`.
+3. `mkcert -key-file busmap.localhost-key.pem -cert-file busmap.localhost.pem busmap.localhost localhost`.
 
 That should install a CA in your OS trust store and produce two files:
 
diff --git a/packages/web/templates/default.conf.template b/packages/web/templates/default.conf.template
index e309816..26e6634 100644
--- a/packages/web/templates/default.conf.template
+++ b/packages/web/templates/default.conf.template
@@ -31,6 +31,7 @@ server {
       proxy_pass http://api_server;
       # Allow keepalive to work with the upstream
       proxy_http_version 1.1;
+      proxy_set_header X-Forwarded-Proto $scheme;
       proxy_set_header Connection "";
     }