Allow insecure connections with credentials in development environment

Only required until expressjs/session#837 is fixed
Wunst · Feb 5, 2024 · 900a0d4 · 900a0d4
1 parent c003532
commit 900a0d4
Showing 1 changed file with 27 additions and 8 deletions.
diff --git a/src/app.ts b/src/app.ts
@@ -1,41 +1,60 @@
 import express from 'express';
 import session from 'express-session';
+import bodyParser from 'body-parser';
+import cors, { CorsOptions } from 'cors';
+
 import { AppDataSource } from './data-source';
-import { Role, User } from './user';
 import auth from './auth';
 import user from './user';
-import bodyParser from 'body-parser';
-import cors from 'cors';
-import bcrypt from 'bcrypt';
-import { BaseEntity, DataSource } from 'typeorm';
 
 declare module 'express-session' {
     interface SessionData {
         userId: number;
     }
 }
 
+let cors_set: CorsOptions = {};
+
+if (process.env['NODE_ENV'] === 'development') {
+    console.warn("\n\nDANGER: Running in a development environment. \
+Will pretend ALL connections are secure.\n\n");
+
+    Object.defineProperty(express.request, 'secure', {
+        get() {
+            return true;
+        }
+    });
+
+    cors_set = {
+        origin: 'http://localhost:8080',
+        credentials: true,
+    };
+}
 
 const port = 3001;
 
 const app = express();
 
 app.use(bodyParser.json());
 
-app.use(cors());
+app.use(cors(cors_set));
 
 app.use(session({
     secret: 'my secret', // TODO: Replace with real secret
     resave: false,
-    saveUninitialized: false
+    saveUninitialized: false,
+    cookie: {
+        maxAge: 24 * 60 * 60 * 1000, // TODO: Server side expiry
+        sameSite: 'none',
+        secure: true,
+    }
 }));
 
 app.post('/login', auth.login);
 app.get('/logout', auth.logout);
 
 app.post('/changePassword', user.changePassword);
 app.post('/resetPassword', user.resetPassword);
-
 app.post('/createUser', user.createUser);
 
 AppDataSource.initialize()