self-hosted/joplin
1
0
Fork 0
mirror of https://github.com/laurent22/joplin.git synced 2025-11-23 22:36:32 +02:00
Code Issues Releases Activity

Server: Use "lax" cookies when using external authentication like SAML or LDAP

Browse Source
This commit is contained in:
Laurent Cozic
2025-09-25 12:11:57 +01:00
parent 2785b7f7d9
commit 6705712f80
3 changed files with 12 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
packages/server/src/config.ts
View File

@@ -163,6 +163,10 @@ function samlConfigFromEnv(env: EnvVariables): SamlConfig {
}
}
const isUsingExternalAuth = (env: EnvVariables) => {
return !!env.SAML_ENABLED || !!env.LDAP_1_ENABLED || !!env.LDAP_2_ENABLED;
};
let config_: Config = null;
// eslint-disable-next-line @typescript-eslint/no-explicit-any -- Old code before rule was applied
@@ -210,6 +214,12 @@ export async function initConfig(envType: Env, env: EnvVariables, overrides: any
supportName: env.SUPPORT_NAME || appName,
businessEmail: env.BUSINESS_EMAIL || supportEmail,
cookieSecure: env.COOKIES_SECURE,
// We need "lax" when using external auth due to the redirects from the auth provider to
// /api/saml, which then redirects to /home. And because the "origin" is going to be the
// auth provider URL, the cookies won't be set property. "Lax" solves this and this is what
// most web apps use these days. It is still reasonably secure.
cookieSameSite: isUsingExternalAuth(env) ? 'lax' : true,
storageDriver: parseStorageDriverConnectionString(env.STORAGE_DRIVER),
storageDriverFallback: parseStorageDriverConnectionString(env.STORAGE_DRIVER_FALLBACK),
itemSizeHardLimit: 250000000, // Beyond this the Postgres driver will crash the app

4
packages/server/src/utils/cookies.ts
View File

@@ -5,10 +5,8 @@ export function cookieSet(ctx: AppContext, name: string, value: string) {
ctx.cookies.set(name, value, {
// Means that the cookies cannot be accessed from JavaScript
httpOnly: true,
// Can only be transferred over https
secure: config().cookieSecure,
// Prevent cookies from being sent in cross-site requests
sameSite: true,
sameSite: config().cookieSameSite,
});
}

1
packages/server/src/utils/types.ts
View File

@@ -183,6 +183,7 @@ export interface Config extends EnvVariables {
businessEmail: string;
isJoplinCloud: boolean;
cookieSecure: boolean;
cookieSameSite: 'strict' | 'lax' | 'none' | boolean;
storageDriver: StorageDriverConfig;
storageDriverFallback: StorageDriverConfig;
itemSizeHardLimit: number;