propro-utils 1.6.3 → 1.6.4

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "propro-utils",
-  "version": "1.6.3",
+  "version": "1.6.4",
   "description": "Auth middleware for propro-auth",
   "main": "src/index.js",
   "scripts": {
@@ -46,6 +46,7 @@
     "jest-mock-axios": "^4.7.3",
     "jsonwebtoken": "^9.0.2",
     "multer": "^1.4.5-lts.1",
+    "neverthrow": "^8.2.0",
     "nodemailer": "^6.9.7",
     "nodemailer-mailgun-transport": "^2.1.5",
     "querystring": "^0.2.1",

package/src/server/middleware/cookieUtils.js

@@ -3,19 +3,19 @@
  * This module provides functions for setting and clearing authentication cookies.
  */
 
-const { URL } = require('url');
+const { URL } = require("url");
 
 /**
  * Safely stringify an object, handling circular references
  * @param {Object} obj - The object to stringify
  * @return {string} A JSON string representation of the object
  */
-const safeStringify = obj => {
+const safeStringify = (obj) => {
   const seen = new WeakSet();
   return JSON.stringify(obj, (key, value) => {
-    if (typeof value === 'object' && value !== null) {
+    if (typeof value === "object" && value !== null) {
       if (seen.has(value)) {
-        return '[Circular]';
+        return "[Circular]";
       }
       seen.add(value);
     }
@@ -28,7 +28,7 @@ const safeStringify = obj => {
  * @param {Object} user - The user object to sanitize
  * @return {Object} A sanitized version of the user object
  */
-const sanitizeUser = user => {
+const sanitizeUser = (user) => {
   const sanitized = { ...user };
 
   delete sanitized.password;
@@ -61,10 +61,10 @@ const sanitizeUser = user => {
  * @param {Object} details - Cookie details
  * @returns {Promise} Promise that resolves when cookie is set
  */
-const setChromeExtensionCookie = details => {
+const setChromeExtensionCookie = (details) => {
   return new Promise((resolve, reject) => {
     try {
-      chrome.cookies.set(details, cookie => {
+      chrome.cookies.set(details, (cookie) => {
         if (chrome.runtime.lastError) {
           reject(chrome.runtime.lastError);
         } else {
@@ -83,13 +83,13 @@ const setChromeExtensionCookie = details => {
  */
 const setAuthCookies = async (res, tokens, account, user, appUrl) => {
   if (!tokens?.refresh?.token || !tokens?.access?.token) {
-    throw new Error('Invalid tokens object');
+    throw new Error("Invalid tokens object");
   }
   if (!account) {
-    throw new Error('Invalid account object');
+    throw new Error("Invalid account object");
   }
   if (!user) {
-    throw new Error('Invalid user object');
+    throw new Error("Invalid user object");
   }
 
   const currentDateTime = new Date();
@@ -102,34 +102,38 @@ const setAuthCookies = async (res, tokens, account, user, appUrl) => {
   let domain;
   try {
     domain = appUrl ? new URL(appUrl).hostname : undefined;
-    if (domain?.includes('mapmap.app')) {
-      domain = '.mapmap.app';
+    if (domain?.includes("mapmap.app")) {
+      domain = ".mapmap.app";
     }
-    if (domain?.includes('localhost')) {
+    if (domain?.includes("localhost")) {
       domain = undefined;
     }
-    if (domain?.includes('propro.so')) {
-      domain = 'propro.so';
+    if (domain?.includes("propro.so")) {
+      domain = "propro.so";
     }
   } catch (error) {
-    console.error('Invalid appUrl:', { error, appUrl });
+    console.error("Invalid appUrl:", { error, appUrl });
     domain = undefined;
   }
 
+  // Determine if we're in a local development environment
+  const isLocalhost =
+    !domain || domain === "localhost" || domain.includes("localhost");
+
   const commonAttributes = {
-    secure: true,
-    sameSite: 'None',
+    secure: !isLocalhost, // Only require secure for non-localhost environments
+    sameSite: isLocalhost ? "Lax" : "None", // Use Lax for localhost, None for production
     domain,
-    path: '/',
+    path: "/",
   };
 
   const httpOnlyCookies = {
-    'x-refresh-token': {
+    "x-refresh-token": {
       value: tokens.refresh.token,
       maxAge: refreshMaxAge,
       httpOnly: true,
     },
-    'x-access-token': {
+    "x-access-token": {
       value: tokens.access.token,
       maxAge: accessMaxAge,
       httpOnly: true,
@@ -150,7 +154,7 @@ const setAuthCookies = async (res, tokens, account, user, appUrl) => {
       maxAge: refreshMaxAge,
     },
     has_account_token: {
-      value: JSON.stringify({ value: 'true', expires: accessMaxAge }),
+      value: JSON.stringify({ value: "true", expires: accessMaxAge }),
       maxAge: accessMaxAge,
     },
   };
@@ -170,21 +174,21 @@ const setAuthCookies = async (res, tokens, account, user, appUrl) => {
       ...regularCookies,
     }).map(([name, config]) => {
       return setChromeExtensionCookie({
-        url: `https://${domain || 'propro.so'}`,
+        url: `https://${domain || "propro.so"}`,
         name,
         value: config.value,
         secure: true,
         httpOnly: !!config.httpOnly,
-        sameSite: 'no_restriction',
-        path: '/',
+        sameSite: "no_restriction",
+        path: "/",
         expirationDate: Math.floor((Date.now() + config.maxAge) / 1000),
-        domain: domain?.startsWith('.') ? domain : `.${domain || 'propro.so'}`,
+        domain: domain?.startsWith(".") ? domain : `.${domain || "propro.so"}`,
       });
     });
 
     await Promise.allSettled(extensionCookiePromises);
 
-    console.log('Auth cookies set successfully', {
+    console.log("Auth cookies set successfully", {
       domain,
       sameSite: commonAttributes.sameSite,
       cookieNames: [
@@ -193,11 +197,11 @@ const setAuthCookies = async (res, tokens, account, user, appUrl) => {
       ],
     });
   } catch (error) {
-    console.error('Error setting cookies:', {
+    console.error("Error setting cookies:", {
       error: error.message,
       stack: error.stack,
     });
-    throw new Error('Failed to set authentication cookies');
+    throw new Error("Failed to set authentication cookies");
   }
 };
 
@@ -208,44 +212,48 @@ const clearAuthCookies = async (res, appUrl) => {
   let domain;
   try {
     domain = appUrl ? new URL(appUrl).hostname : undefined;
-    if (domain?.includes('mapmap.app')) {
-      domain = '.mapmap.app';
+    if (domain?.includes("mapmap.app")) {
+      domain = ".mapmap.app";
     }
-    if (domain?.includes('localhost')) {
+    if (domain?.includes("localhost")) {
       domain = undefined;
     }
   } catch (error) {
-    console.error('Invalid appUrl:', error);
+    console.error("Invalid appUrl:", error);
     domain = undefined;
   }
 
+  // Determine if we're in a local development environment
+  const isLocalhost =
+    !domain || domain === "localhost" || domain.includes("localhost");
+
   const commonAttributes = {
-    secure: true,
-    sameSite: 'None',
+    secure: !isLocalhost, // Only require secure for non-localhost environments
+    sameSite: isLocalhost ? "Lax" : "None", // Use Lax for localhost, None for production
     domain,
-    path: '/',
+    path: "/",
   };
 
   const cookieNames = [
-    'x-refresh-token',
-    'x-access-token',
-    'user',
-    'account',
-    'has_account_token',
+    "x-refresh-token",
+    "x-access-token",
+    "user",
+    "account",
+    "has_account_token",
   ];
 
   // Clear web cookies
-  cookieNames.forEach(cookieName => {
+  cookieNames.forEach((cookieName) => {
     res.clearCookie(cookieName, commonAttributes);
   });
 
   try {
     const extensionClearPromises = cookieNames.map(
-      name =>
-        new Promise(resolve => {
+      (name) =>
+        new Promise((resolve) => {
           chrome.cookies.remove(
             {
-              url: `https://${domain || 'mapmap.app'}`,
+              url: `https://${domain || "mapmap.app"}`,
               name,
             },
             resolve
@@ -258,7 +266,7 @@ const clearAuthCookies = async (res, appUrl) => {
     // Not in extension context, ignore
   }
 
-  console.log('Auth cookies cleared successfully', {
+  console.log("Auth cookies cleared successfully", {
     domain,
     cookieNames,
     sameSite: commonAttributes.sameSite,