#294 SameSite First pass

NASA-AMMOS · Dec 13, 2022 · 8dae1f5 · 8dae1f5
1 parent 3e9604e
commit 8dae1f5
Show file tree

Hide file tree

Showing 6 changed files with 36 additions and 13 deletions.
diff --git a/API/Backend/Users/routes/users.js b/API/Backend/Users/routes/users.js
@@ -201,6 +201,12 @@ router.post("/login", function (req, res) {
                   username: user.username,
                   token: req.session.token,
                   groups: getUserGroups(user.username, req.leadGroupName),
+                  additional:
+                    process.env.THIRD_PARTY_COOKIES === "true"
+                      ? `; SameSite=None;${
+                          process.env.NODE_ENV === "production" ? " Secure" : ""
+                        }`
+                      : "",
                 });
                 return null;
               })

diff --git a/public/index.html b/public/index.html
@@ -336,6 +336,7 @@
           mmgisglobal.HOSTS = "#{HOSTS}";
           mmgisglobal.PORT = "#{PORT}";
           mmgisglobal.ENABLE_MMGIS_WEBSOCKETS = "#{ENABLE_MMGIS_WEBSOCKETS}";
+          mmgisglobal.THIRD_PARTY_COOKIES = "#{THIRD_PARTY_COOKIES}";
           break;
         default:
           mmgisglobal.AUTH = "%AUTH%";
@@ -348,6 +349,7 @@
           mmgisglobal.CLEARANCE_NUMBER = "%CLEARANCE_NUMBER%";
           mmgisglobal.PORT = "%PORT%";
           mmgisglobal.ENABLE_MMGIS_WEBSOCKETS = "%ENABLE_MMGIS_WEBSOCKETS%";
+          mmgisglobal.THIRD_PARTY_COOKIES = "#{THIRD_PARTY_COOKIES}";
           // eslint-disable-next-line
           mmgisglobal.HOSTS = %HOSTS%;
           break;

diff --git a/public/login.js b/public/login.js
@@ -21,12 +21,11 @@ function login() {
         (data.hasOwnProperty("status") && data.status === "success")
       ) {
         //success
-        document.cookie =
-          "MMGISUser=" +
-          JSON.stringify({
-            username: data.username,
-            token: data.token,
-          });
+        document.cookie = "MMGISUser=;expires=Thu, 01 Jan 1970 00:00:01 GMT;";
+        document.cookie = `MMGISUser=${JSON.stringify({
+          username: data.username,
+          token: data.token,
+        })}${data.additional}`;
         window.location.reload();
       } else {
         //error

diff --git a/run/server.js b/run/server.js
@@ -83,13 +83,18 @@ permissions.users = process.env.CSSO_GROUPS
 const port = parseInt(process.env.PORT || "8888", 10);
 
 /** set the session for application */
+const cookieOptions = { maxAge: 86400000 };
+if (process.env.THIRD_PARTY_COOKIES === "true") {
+  cookieOptions.sameSite = "None";
+  if (process.env.NODE_ENV === "production") cookieOptions.secure = true;
+}
 app.use(
   session({
     secret: process.env.SECRET || "Shhhh, it is a secret!",
     name: "MMGISSession",
     proxy: true,
     resave: false,
-    cookie: { maxAge: 86400000 },
+    cookie: cookieOptions,
     saveUninitialized: false,
     store: new MemoryStore({
       checkPeriod: 86400000, // prune expired entries every 24h
@@ -690,6 +695,7 @@ setups.getBackendSetups(function (setups) {
           FORCE_CONFIG_PATH: process.env.FORCE_CONFIG_PATH,
           CLEARANCE_NUMBER: process.env.CLEARANCE_NUMBER,
           ENABLE_MMGIS_WEBSOCKETS: process.env.ENABLE_MMGIS_WEBSOCKETS,
+          THIRD_PARTY_COOKIES: process.env.THIRD_PARTY_COOKIES,
           PORT: process.env.PORT,
           HOSTS: JSON.stringify({
             scienceIntent: process.env.SCIENCE_INTENT_HOST,

diff --git a/sample.env b/sample.env
@@ -22,6 +22,11 @@ VERBOSE_LOGGING=false
 
 # Sets the Content-Security-Policy: frame-ancestors header to allow the embedding in external sites. default null, ex: FRAME_ANCESTORS='["https://*.jpl.nasa.gov"]'
 FRAME_ANCESTORS=
+# Sets "SameSite=None; Secure" on the login cookie. Useful when using AUTH=local as an iframe within a cross-origin page.
+THIRD_PARTY_COOKIES=false
+# Sets the Content-Security-Policy: frame-src header to allow the embedding external sites with mmgis. default null, ex: FRAME_ANCESTORS='["https://*.jpl.nasa.gov"]'.
+# Setting this will almost always have no effect
+FRAME_SRC=
 
 # Allows MMGIS to be deployed at a subpath. Use an absolute path. For example if serving at the subpath 'mmgis' is desired, set PUBLIC_URL to 'https://{domain}/mmgis/build'
 PUBLIC_URL=

diff --git a/src/essence/Ancillary/Login/Login.js b/src/essence/Ancillary/Login/Login.js
@@ -479,12 +479,17 @@ var Login = {
 
 function loginSuccess(data, ignoreError) {
     if (data.status == 'success') {
-        document.cookie =
-            'MMGISUser=' +
-            JSON.stringify({
-                username: data.username,
-                token: data.token,
-            })
+        document.cookie = 'MMGISUser=;expires=Thu, 01 Jan 1970 00:00:01 GMT;'
+        document.cookie = `MMGISUser=${JSON.stringify({
+            username: data.username,
+            token: data.token,
+        })}${
+            mmgisglobal.THIRD_PARTY_COOKIES === 'true'
+                ? `; SameSite=None;${
+                      mmgisglobal.NODE_ENV === 'production' ? ' Secure' : ''
+                  }`
+                : ''
+        }`
 
         Login.loggedIn = true
         $('#loginErrorMessage').animate({ opacity: '0' }, 500)