greend-server 1.0.4 → 1.0.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/.env.example +15 -1
  2. package/package.json +1 -2
  3. package/server.js +14 -1
  4. package/data/.gitkeep +0 -0
package/.env.example CHANGED
@@ -20,11 +20,25 @@ HOST=0.0.0.0
20
20
  # Never use the default in production.
21
21
  SESSION_SECRET=change-this-to-a-long-random-string
22
22
 
23
+ # ──────────────────────────────────────────────────────────────────────────────
24
+ # Session cookie security
25
+ # ──────────────────────────────────────────────────────────────────────────────
26
+ # Controls whether session cookies require a secure (HTTPS) transport.
27
+ # false — required for local HTTP setups (Electron desktop, dev, LAN installs)
28
+ # true — required when greend-server is behind HTTPS
29
+ # auto — derives from NODE_ENV (production → true, anything else → false)
30
+ #
31
+ # Common mistake: leaving this unset while NODE_ENV=production on a plain HTTP
32
+ # server causes a login loop — login succeeds server-side but the Secure cookie
33
+ # is never accepted by the client.
34
+ SESSION_COOKIE_SECURE=false
35
+
23
36
  # Origins allowed to make cross-origin requests (comma-separated).
24
37
  # The GreenD desktop app connects from app://localhost.
25
38
  # If you also access GreenD from a browser, add that origin too.
26
39
  # Example: CORS_ORIGIN=app://localhost,https://greend.yourcompany.com
27
40
  CORS_ORIGIN=app://localhost
28
41
 
29
- # Set to 'production' to enable secure cookie flags.
42
+ # Node environment. Does NOT control cookie security when SESSION_COOKIE_SECURE
43
+ # is set explicitly. Still affects other Express/library defaults.
30
44
  NODE_ENV=production
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "greend-server",
3
- "version": "1.0.4",
3
+ "version": "1.0.5",
4
4
  "description": "GreenD ESG backend — self-hosted Express.js API server",
5
5
  "type": "module",
6
6
  "main": "server.js",
@@ -33,7 +33,6 @@
33
33
  "files": [
34
34
  "server.js",
35
35
  "bin/",
36
- "data/.gitkeep",
37
36
  ".env.example"
38
37
  ],
39
38
  "publishConfig": { "access": "public" }
package/server.js CHANGED
@@ -47,9 +47,18 @@ const DATA_DIR = process.env.DATA_DIR
47
47
  : getDefaultDataDir();
48
48
 
49
49
  const SESSION_COOKIE_NAME = 'connect.sid';
50
+
51
+ function resolveCookieSecure() {
52
+ const raw = (process.env.SESSION_COOKIE_SECURE ?? 'auto').toLowerCase().trim();
53
+ if (raw === 'true') return true;
54
+ if (raw === 'false') return false;
55
+ // 'auto' or unrecognised: derive from NODE_ENV for backward compatibility
56
+ return process.env.NODE_ENV === 'production';
57
+ }
58
+
50
59
  const SESSION_COOKIE_OPTIONS = {
51
60
  httpOnly: true,
52
- secure: process.env.NODE_ENV === 'production',
61
+ secure: resolveCookieSecure(),
53
62
  sameSite: 'lax',
54
63
  path: '/',
55
64
  maxAge: 8 * 60 * 60 * 1000,
@@ -62,6 +71,10 @@ const CLEAR_SESSION_COOKIE_OPTIONS = {
62
71
  path: SESSION_COOKIE_OPTIONS.path,
63
72
  };
64
73
 
74
+ if (!SESSION_COOKIE_OPTIONS.secure && process.env.NODE_ENV === 'production') {
75
+ console.warn('[greend-server] WARNING: Session cookies are insecure (SESSION_COOKIE_SECURE=false) while NODE_ENV=production. Acceptable only for local HTTP deployments.');
76
+ }
77
+
65
78
  // ---------------------------------------------------------------------------
66
79
  // File-backed session store — persists sessions to DATA_DIR/sessions.json so
67
80
  // that sessions survive server restarts (MemoryStore loses them on every restart).
package/data/.gitkeep DELETED
File without changes