From 8cf3b50ee9108e06d7c9a0aac78b4fffa4ef4453 Mon Sep 17 00:00:00 2001
From: Sheogorath
Date: Wed, 10 Jun 2020 12:21:11 +0200
Subject: Fix broken cookie handling due to missing proxy awareness

We enabled the `secure` flag for various cookies in previous commits.
This caused setups behind reverse proxies to drop cookies as the nodejs
instance wasn't aware of the fact that it was able to hand out secure
commits using an insecure connection (between the codimd instance and
the reverse proxy).

This patch makes express, the webserver framework we use, aware of
proxies and this way re-enabled the handing out of cookies. Not only the
cookie monster will enjoy, but also functionality like authentication
and real-time editing will return as intended.

References:
https://www.npmjs.com/package/express-session#cookiesecure
https://github.com/codimd/server/commit/383d791a50919bb9890a3f3f797ecc95125ab8bf

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
---
 app.js | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'app.js')

diff --git a/app.js b/app.js
index c65b8483..8f775b21 100644
--- a/app.js
+++ b/app.js
@@ -51,6 +51,13 @@ if (config.useSSL) {
   server = require('http').createServer(app)
 }
 
+// if we manage to provide HTTPS domains, but don't provide TLS ourselves
+// obviously a proxy is involded. In order to make sure express is aware of
+// this, we provide the option to trust proxies here.
+if (!config.useSSL && config.protocolUseSSL) {
+  app.set('trust proxy', 1)
+}
+
 // logger
 app.use(morgan('combined', {
   'stream': logger.stream
-- 
cgit v1.2.3