From cd68c8966351281abf00689b0f039ec2abe1e77a Mon Sep 17 00:00:00 2001
From: David Ludwig <davidludwigii@gmail.com>
Date: Wed, 16 Jun 2021 18:44:04 -0500
Subject: [PATCH] Require cookies to store JWT signature

---
 .../src/services/WebServer/middleware/auth.ts |  7 ++-----
 .../src/services/WebServer/routes/auth.ts     | 19 ++++++++-----------
 2 files changed, 10 insertions(+), 16 deletions(-)

diff --git a/services/request/src/services/WebServer/middleware/auth.ts b/services/request/src/services/WebServer/middleware/auth.ts
index d7e2120..b40ec85 100644
--- a/services/request/src/services/WebServer/middleware/auth.ts
+++ b/services/request/src/services/WebServer/middleware/auth.ts
@@ -9,7 +9,7 @@ import Application from "../../../Application";
  */
 async function authenticateJwtToken<T>(request: MiddlewareRequest<T>, reply: FastifyReply): Promise<User|undefined> {
 	// Verify headers
-	if (!request.headers["authorization"]) {
+	if (!request.headers["authorization"] || !request.cookies.jwt_signature) {
 		reply.status(401);
 		reply.send({ status: "Unauthorized" });
 		return;
@@ -20,10 +20,7 @@ async function authenticateJwtToken<T>(request: MiddlewareRequest<T>, reply: Fas
 		return;
 	}
 	// Construct the token string
-	let token = request.headers["authorization"].slice(7).trim();
-	if ((token.match(/\./g)||[]).length < 2) {
-		token += '.' + (request.cookies.jwt_signature ?? "").trim();
-	}
+	let token = `${request.headers["authorization"].slice(7).trim()}.${request.cookies.jwt_signature.trim()}`;
 	// Decode the token
 	let user: User;
 	try {
diff --git a/services/request/src/services/WebServer/routes/auth.ts b/services/request/src/services/WebServer/routes/auth.ts
index 831977a..dc957ab 100644
--- a/services/request/src/services/WebServer/routes/auth.ts
+++ b/services/request/src/services/WebServer/routes/auth.ts
@@ -29,18 +29,15 @@ export default function register(factory: RouteRegisterFactory<MiddlewareMethod<
 		}
 		let body = { id: user.id, name: user.name, isAdmin: user.isAdmin };
 		let token = jwt.sign(body, app.APP_KEY, { expiresIn: 60*60*24 });
-		// Below code requires SSH to store cookies securely
 		// Store the header/payload in the client, store the signature in a secure httpOnly cookie
-		// if ((<any>request.query)["use_cookies"] || (<any>request.query)["use_cookies"] === undefined) {
-		// 	let [header, payload, signature] = token.split('.');
-		// 	token = `${header}.${payload}`;
-		// 	reply.setCookie("jwt_signature", signature, {
-		// 		path: '/',
-		// 		httpOnly: true,
-		// 		sameSite: true,
-		// 		secure: true
-		// 	});
-		// }
+		let [header, payload, signature] = token.split('.');
+		token = `${header}.${payload}`;
+		reply.setCookie("jwt_signature", signature, {
+			path: '/',
+			httpOnly: true,
+			sameSite: true,
+			secure: process.env["NODE_ENV"] === "production"
+		});
 		respond(reply, Status.Ok, { token });
 	}));