propro-utils 1.5.23 → 1.5.25

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "propro-utils",
-  "version": "1.5.23",
+  "version": "1.5.25",
   "description": "Auth middleware for propro-auth",
   "main": "src/index.js",
   "scripts": {

package/src/server/middleware/cookieUtils.js

@@ -1,3 +1,59 @@
+/**
+ * Authentication Cookies Module
+ * This module provides functions for setting and clearing authentication cookies.
+ */
+
+const { URL } = require('url');
+
+/**
+ * Safely stringify an object, handling circular references
+ * @param {Object} obj - The object to stringify
+ * @return {string} A JSON string representation of the object
+ */
+const safeStringify = obj => {
+  const seen = new WeakSet();
+  return JSON.stringify(obj, (key, value) => {
+    if (typeof value === 'object' && value !== null) {
+      if (seen.has(value)) {
+        return '[Circular]';
+      }
+      seen.add(value);
+    }
+    return value;
+  });
+};
+
+/**
+ * Sanitize user object by removing sensitive and unnecessary information
+ * @param {Object} user - The user object to sanitize
+ * @return {Object} A sanitized version of the user object
+ */
+const sanitizeUser = user => {
+  const sanitized = { ...user };
+
+  delete sanitized.password;
+  delete sanitized.passwordHistory;
+  delete sanitized.loginAttempts;
+
+  // Remove Mongoose-specific fields
+  delete sanitized.$__;
+  delete sanitized.$isNew;
+
+  if (sanitized._doc) {
+    sanitized.id = sanitized._doc.id;
+    sanitized.accountId = sanitized._doc.accountId;
+    sanitized.createdAt = sanitized._doc.createdAt;
+    sanitized.updatedAt = sanitized._doc.updatedAt;
+
+    delete sanitized._doc.mapList;
+    delete sanitized._doc.folderList;
+
+    delete sanitized._doc;
+  }
+
+  return sanitized;
+};
+
 /**
  * Sets the authentication cookies in the response object.
  *
@@ -11,90 +67,122 @@ const setAuthCookies = (res, tokens, account, user, appUrl) => {
   if (!tokens || !tokens.refresh || !tokens.access) {
     throw new Error('Invalid tokens object');
   }
-
   if (!account) {
     throw new Error('Invalid account object');
   }
-
   if (!user) {
     throw new Error('Invalid user object');
   }
 
-  console.log('Setting auth cookies');
-  console.log('tokens', tokens);
-  console.log('account', account);
-  console.log('user', user);
   const currentDateTime = new Date();
-
   const refreshMaxAge =
     new Date(tokens.refresh.expires).getTime() - currentDateTime.getTime();
   const accessMaxAge =
     new Date(tokens.access.expires).getTime() - currentDateTime.getTime();
 
-  let domain = appUrl ? new URL(appUrl).hostname : undefined;
-
-  if (domain.includes('mapmap.app')) {
-    domain = '.mapmap.app';
+  let domain;
+  try {
+    domain = appUrl ? new URL(appUrl).hostname : undefined;
+    if (domain && domain.includes('mapmap.app')) {
+      domain = '.mapmap.app';
+    }
+  } catch (error) {
+    console.error('Invalid appUrl:', error);
+    domain = undefined;
   }
 
   const commonAttributes = {
-    // secure: process.env.NODE_ENV === 'production',
-    secure: true,
-    sameSite: 'None',
-    // path: '/',
+    secure: process.env.NODE_ENV === 'production',
+    sameSite: process.env.NODE_ENV === 'production' ? 'None' : 'Lax',
     domain: domain,
   };
 
+  if (commonAttributes.sameSite === 'None') {
+    commonAttributes.secure = true;
+  }
+
+  // Set httpOnly cookies
   res.cookie('x-refresh-token', tokens.refresh.token, {
+    ...commonAttributes,
     httpOnly: true,
     maxAge: refreshMaxAge,
-    ...commonAttributes,
   });
 
   res.cookie('x-access-token', tokens.access.token, {
+    ...commonAttributes,
     httpOnly: true,
     maxAge: accessMaxAge,
-    ...commonAttributes,
   });
 
-  res.cookie('user', JSON.stringify(user), {
-    maxAge: refreshMaxAge,
+  // Set non-httpOnly cookies
+  const sanitizedUser = sanitizeUser(user);
+  const sanitizedAccount = { ...account };
+  delete sanitizedAccount.passwordHistory;
+
+  res.cookie('user', safeStringify(sanitizedUser), {
     ...commonAttributes,
+    maxAge: refreshMaxAge,
   });
 
-  res.cookie('account', JSON.stringify(account), {
-    maxAge: refreshMaxAge,
+  res.cookie('account', safeStringify(sanitizedAccount), {
     ...commonAttributes,
+    maxAge: refreshMaxAge,
   });
 
   res.cookie(
     'has_account_token',
     JSON.stringify({ value: 'true', expires: accessMaxAge }),
     {
-      maxAge: accessMaxAge,
       ...commonAttributes,
+      maxAge: accessMaxAge,
     }
   );
+
+  console.log('Setting auth cookies');
+  console.log('sanitizedUser', sanitizedUser);
 };
 
-const clearAuthCookies = res => {
+/**
+ * Clears all authentication cookies from the response object.
+ *
+ * @param {Object} res - The response object.
+ * @param {string} appUrl - The URL of the client application.
+ */
+const clearAuthCookies = (res, appUrl) => {
+  let domain;
+  try {
+    domain = appUrl ? new URL(appUrl).hostname : undefined;
+    if (domain && domain.includes('mapmap.app')) {
+      domain = '.mapmap.app';
+    }
+  } catch (error) {
+    console.error('Invalid appUrl:', error);
+    domain = undefined;
+  }
+
   const commonAttributes = {
-    secure: true,
-    sameSite: 'None',
-    domain: process.env.APP_URL
-      ? new URL(process.env.APP_URL).hostname
-      : undefined,
+    secure: process.env.NODE_ENV === 'production',
+    sameSite: process.env.NODE_ENV === 'production' ? 'None' : 'Lax',
+    domain: domain,
   };
 
-  [
+  if (commonAttributes.sameSite === 'None') {
+    commonAttributes.secure = true;
+  }
+
+  const cookieNames = [
     'x-refresh-token',
     'x-access-token',
     'user',
     'account',
     'has_account_token',
-  ].forEach(cookieName => {
+  ];
+
+  cookieNames.forEach(cookieName => {
     res.clearCookie(cookieName, commonAttributes);
   });
+
+  console.log('Cleared auth cookies');
 };
 
 module.exports = {