merge with master

.env.example

@@ -12,4 +12,5 @@ ACCESS_TOKEN_EXPIRES_IN=5m
 SESSION_MAX_AGE=1d
 SESSION_MAX_INACTIVE=30m
 SESSION_STORAGE=redis
+SESSION_EXPIRE_ON_BROWSER_RESTART=true
 REDIS_URL=redis://localhost:6379

README.md

@@ -52,10 +52,11 @@ TODO
 
 You can configure the services through these environment variables:
 
-| Variable       | Usage                                                                                                     |
-| -------------- | --------------------------------------------------------------------------------------------------------- |
-| `LOG_REQUESTS` | If set to `true` or `1`, all HTTP requests are logged to stdout.                                          |
-| `PORT`         | Port number to run the service on. Defaults to `3000`. The the Docker image sets this to `80` by default. | ` |
+| Variable         | Usage                                                                                                     |
+| ---------------- | --------------------------------------------------------------------------------------------------------- |
+| `LOG_REQUESTS`   | If set to `true` or `1`, all HTTP requests are logged to stdout.                                          |
+| `PORT`           | Port number to run the service on. Defaults to `3000`. The the Docker image sets this to `80` by default. | ` |
+| `SESSION_EXPIRE_ON_BROWSER_RESTART` | If set to `true` or `1`, the session will be only valid in a browser session because the cookies will be saved as a session cookie |
 
 
 ## FAQ
@@ -74,7 +75,25 @@ Example:
 ```
 openssl genpkey -algorithm RSA -aes-256-cbc -outform PEM -out private_key.pem -pkeyopt rsa_keygen_bits:2048
 ```
-For explanation of the options check the [OpenSSL documentation](https://www.openssl.org/docs/man1.1.0/man1/genpkey.html#KEY-GENERATION-OPTIONS])
+For explanation of the options check the [OpenSSL documentation](https://www.openssl.org/docs/man1.1.1/man1/openssl-genpkey.html#KEY-GENERATION-OPTIONS)
+
+
+#### Alternative way to generate a key
+Run in terminal:
+```brew install mkcert`
+
+Then type:
+```mkcert -install```
+
+Followed by:
+```mkcert yourSiteName```
+
+Replace `yourSiteName` with any name of your website. For example: download-site-acc
+
+This will generate 2 files: `{yourSiteName}.pem` and `{yourSiteName}-key.pem`.
+
+Now base64 encode the file and you have your base64 encoded signing key.
+```cat `{yourSiteName}-key.pem | base64```
 
 ## Maintainers
 

package.json

@@ -27,7 +27,7 @@
     "node-fetch": "^2.6.1",
     "node-jose": "^2.0.0",
     "randomstring": "^1.1.5",
-    "redis": "^3.0.2"
+    "redis": "^3.1.2"
   },
   "devDependencies": {
     "@types/jsonwebtoken": "^8.5.0",

src/index.ts

@@ -10,6 +10,7 @@ import * as querystring from "querystring";
 import * as Cookies from "cookies";
 import ms = require("ms");
 
+import { noCache } from "./middleware/no-cache";
 import { loadKeystore } from "./util/keystore";
 import { jwtSession } from "./middleware/jwt-session";
 import { redisSession } from "./middleware/redis-session";
@@ -160,8 +161,8 @@ app.proxy = true;
             const stateCookie = ctx.cookies.get(stateCookieName);
 
             // Clear the state cookies.
-            ctx.cookies.set("oidc_state_last");
-            ctx.cookies.set(stateCookieName);
+            ctx.cookies.set("oidc_state_last", null, defaultCookieOptions);
+            ctx.cookies.set(stateCookieName, null, defaultCookieOptions);
 
             // eslint-disable-next-line @typescript-eslint/no-explicit-any
             let stateData: any;
@@ -265,7 +266,7 @@ app.proxy = true;
             const redirectUri = ctx.cookies.get(cookieName);
 
             if (redirectUri) {
-                ctx.cookies.set(cookieName);
+                ctx.cookies.set(cookieName, null, defaultCookieOptions);
                 ctx.redirect(redirectUri);
             }
             ctx.body = "You are logged out";
@@ -295,7 +296,6 @@ app.proxy = true;
         })
     );
     app.use(json());
-    app.use(statusRouter.routes()).use(statusRouter.allowedMethods());
 
     const sessionStorage = process.env.SESSION_STORAGE ?? "jwt";
     switch (sessionStorage) {
@@ -310,7 +310,10 @@ app.proxy = true;
                 `Invalid value for SESSION_STORAGE: ${sessionStorage}. Expect jwt,redis`
             );
     }
+
+    app.use(noCache());
     app.use(appSession({ keystore }));
+    app.use(statusRouter.routes()).use(statusRouter.allowedMethods());
     app.use(router.routes()).use(router.allowedMethods());
 
     const port = parseInt(process.env.PORT ?? "3000");

src/middleware/csrf.ts

@@ -26,7 +26,8 @@ export function csrfOrAccessTokenAuth(
     return async (ctx, next) => {
         if (
             ctx.get("Authorization") ===
-            `Bearer ${ctx.state.appSession.csrfToken}`
+                `Bearer ${ctx.state.appSession.csrfToken}` ||
+            ctx.query.token === ctx.state.appSession.csrfToken
         ) {
             await next();
             return;

src/middleware/jwt-session.ts

@@ -1,4 +1,5 @@
 import * as Koa from "koa";
+import * as Cookies from "cookies";
 import * as jose from "node-jose";
 import * as jwtPromise from "../util/jwt-promise";
 import { JwtHeader, SigningKeyCallback, SignOptions } from "jsonwebtoken";
@@ -131,6 +132,9 @@ export function jwtSession(
     const tokenExpiresIn = process.env.SESSION_MAX_AGE ?? "1d";
     const algorithm = process.env.SESSION_SIGNATURE_ALGORITHM ?? "RS256";
     const cookieSecure = isTruthy(process.env.COOKIES_SECURE ?? "true");
+    const sessionExpireOnBrowserRestart = isTruthy(
+        process.env.SESSION_EXPIRE_ON_BROWSER_RESTART ?? "true"
+    );
     const sameSite = isTruthy(process.env.COOKIES_SECURE ?? "true")
         ? "none"
         : "lax";
@@ -161,25 +165,30 @@ export function jwtSession(
 
         await next();
 
+        const defaultCookieOptions: Cookies.SetOption = {
+            secure: cookieSecure,
+            httpOnly: true,
+            sameSite,
+        };
+
         // Store data back into cookies.
         const newCookieData = await sessionHandler.getTokenCookieData();
         if (newCookieData) {
             const { headerPayload, signature } = newCookieData;
             ctx.cookies.set(cookieName, headerPayload, {
-                secure: cookieSecure,
-                httpOnly: true,
+                ...defaultCookieOptions,
                 maxAge: cookieMaxAge,
-                sameSite,
             });
             ctx.cookies.set(signatureCookieName, signature, {
-                secure: cookieSecure,
-                httpOnly: true,
-                sameSite,
+                ...defaultCookieOptions,
+                ...(sessionExpireOnBrowserRestart
+                    ? {}
+                    : { maxAge: cookieMaxAge }),
             });
         } else if (cookieHeaderPayload && cookieSignature) {
             // Clear the cookies.
-            ctx.cookies.set(cookieName);
-            ctx.cookies.set(signatureCookieName);
+            ctx.cookies.set(cookieName, null, defaultCookieOptions);
+            ctx.cookies.set(signatureCookieName, null, defaultCookieOptions);
         }
     };
 }

src/middleware/no-cache.ts

@@ -0,0 +1,10 @@
+import * as Koa from "koa";
+
+export function noCache(): Koa.Middleware {
+    return async (ctx, next) => {
+        await next();
+        ctx.set("Cache-Control", "no-store, no-cache, must-revalidate");
+        ctx.set("Pragma", "no-cache");
+        ctx.set("Expires", "0");
+    };
+}

src/middleware/redis-session.ts

@@ -1,4 +1,5 @@
 import * as Koa from "koa";
+import * as Cookies from "cookies";
 import * as randomstring from "randomstring";
 import { createClient, RedisClient } from "redis";
 import ms = require("ms");
@@ -109,6 +110,9 @@ export function redisSession(): Koa.Middleware<ClientSessionState> {
     const cookieMaxAge = ms(process.env.SESSION_MAX_INACTIVE ?? "30m");
     const sessionExpiresIn = process.env.SESSION_MAX_AGE ?? "1d";
     const cookieSecure = isTruthy(process.env.COOKIES_SECURE ?? "true");
+    const sessionExpireOnBrowserRestart = isTruthy(
+        process.env.SESSION_EXPIRE_ON_BROWSER_RESTART ?? "true"
+    );
     const sameSite = isTruthy(process.env.COOKIES_SECURE ?? "true")
         ? "none"
         : "lax";
@@ -148,25 +152,30 @@ export function redisSession(): Koa.Middleware<ClientSessionState> {
         await next();
         await sessionHandler.storeData();
 
+        const defaultCookieOptions: Cookies.SetOption = {
+            secure: cookieSecure,
+            httpOnly: true,
+            sameSite,
+        };
+
         // Store data back into cookies.
         const newCookieData = await sessionHandler.getTokenCookieData();
         if (newCookieData) {
             const { payload, signature } = newCookieData;
             ctx.cookies.set(cookieName, payload, {
-                secure: cookieSecure,
-                httpOnly: true,
+                ...defaultCookieOptions,
                 maxAge: cookieMaxAge,
-                sameSite,
             });
             ctx.cookies.set(signatureCookieName, signature, {
-                secure: cookieSecure,
-                httpOnly: true,
-                sameSite,
+                ...defaultCookieOptions,
+                ...(sessionExpireOnBrowserRestart
+                    ? {}
+                    : { maxAge: cookieMaxAge }),
             });
         } else if (cookiePayload && cookieSignature) {
             // Clear the cookies.
-            ctx.cookies.set(cookieName);
-            ctx.cookies.set(signatureCookieName);
+            ctx.cookies.set(cookieName, null, defaultCookieOptions);
+            ctx.cookies.set(signatureCookieName, null, defaultCookieOptions);
         }
     };
 }