Enforce SameSite=Strict (#1713)

package.json

@@ -48,6 +48,7 @@
     "check-password-strength": "^2.0.7",
     "classnames": "^2.3.1",
     "clean-webpack-plugin": "^4.0.0",
+    "cookie": "^0.5.0",
     "copy-webpack-plugin": "^11.0.0",
     "cross-fetch": "^3.1.5",
     "css-loader": "^6.7.3",
@@ -65,7 +66,6 @@
     "inferno-i18next-dess": "0.0.2",
     "inferno-router": "^8.1.1",
     "inferno-server": "^8.1.1",
-    "isomorphic-cookie": "^1.2.4",
     "jwt-decode": "^3.1.2",
     "lemmy-js-client": "0.18.0-rc.2",
     "lodash.isequal": "^4.5.0",
@@ -97,6 +97,7 @@
     "@babel/core": "^7.21.8",
     "@types/autosize": "^4.0.0",
     "@types/bootstrap": "^5.2.6",
+    "@types/cookie": "^0.5.1",
     "@types/express": "^4.17.17",
     "@types/html-to-text": "^9.0.0",
     "@types/lodash.isequal": "^4.5.6",
@@ -125,6 +126,7 @@
     "style-loader": "^3.3.2",
     "terser": "^5.17.3",
     "typescript": "^5.0.4",
+    "typescript-language-server": "^3.3.2",
     "webpack-bundle-analyzer": "^4.9.0",
     "webpack-dev-server": "4.15.0"
   },

src/server/handlers/catch-all-handler.tsx

@@ -1,11 +1,11 @@
 import { initializeSite, isAuthPath } from "@utils/app";
 import { getHttpBaseInternal } from "@utils/env";
 import { ErrorPageData } from "@utils/types";
+import * as cookie from "cookie";
 import fetch from "cross-fetch";
 import type { Request, Response } from "express";
 import { StaticRouter, matchPath } from "inferno-router";
 import { renderToString } from "inferno-server";
-import IsomorphicCookie from "isomorphic-cookie";
 import { GetSite, GetSiteResponse, LemmyHttp } from "lemmy-js-client";
 import { App } from "../../shared/components/app/app";
 import {
@@ -25,7 +25,7 @@ import { setForwardedHeaders } from "../utils/set-forwarded-headers";
 export default async (req: Request, res: Response) => {
   try {
     const activeRoute = routes.find(route => matchPath(req.path, route));
-    let auth: string | undefined = IsomorphicCookie.load("jwt", req);
+    let auth = req.cookies ? cookie.parse(req.cookies).jwt : undefined;
 
     const getSiteForm: GetSite = { auth };
 

src/shared/services/UserService.ts

@@ -2,7 +2,7 @@
 import { isAuthPath } from "@utils/app";
 import { isBrowser } from "@utils/browser";
 import { isHttps } from "@utils/env";
-import IsomorphicCookie from "isomorphic-cookie";
+import * as cookie from "cookie";
 import jwt_decode from "jwt-decode";
 import { LoginResponse, MyUserInfo } from "lemmy-js-client";
 import { toast } from "../toast";
@@ -31,9 +31,14 @@ export class UserService {
   public login(res: LoginResponse) {
     const expires = new Date();
     expires.setDate(expires.getDate() + 365);
-    if (res.jwt) {
+    if (isBrowser() && res.jwt) {
       toast(I18NextService.i18n.t("logged_in"));
-      IsomorphicCookie.save("jwt", res.jwt, { expires, secure: isHttps() });
+      document.cookie = cookie.serialize("jwt", res.jwt, {
+        expires,
+        secure: isHttps(),
+        domain: location.hostname,
+        sameSite: true,
+      });
       this.#setJwtInfo();
     }
   }
@@ -41,8 +46,14 @@ export class UserService {
   public logout() {
     this.jwtInfo = undefined;
     this.myUserInfo = undefined;
-    IsomorphicCookie.remove("jwt"); // TODO is sometimes unreliable for some reason
+    if (isBrowser()) {
-    document.cookie = "jwt=; Max-Age=0; path=/; domain=" + location.hostname;
+      document.cookie = cookie.serialize("jwt", "", {
+        maxAge: 0,
+        path: "/",
+        domain: location.hostname,
+        sameSite: true,
+      });
+    }
     if (isAuthPath(location.pathname)) {
       location.replace("/");
     } else {
@@ -66,10 +77,11 @@ export class UserService {
   }
 
   #setJwtInfo() {
-    const jwt: string | undefined = IsomorphicCookie.load("jwt");
+    if (isBrowser()) {
-
+      const { jwt } = cookie.parse(document.cookie);
-    if (jwt) {
+      if (jwt) {
-      this.jwtInfo = { jwt, claims: jwt_decode(jwt) };
+        this.jwtInfo = { jwt, claims: jwt_decode(jwt) };
+      }
     }
   }