feat: add option to disable secure cookies and configure samesite (#…

…3441)
Flagsmith · Feb 27, 2024 · 7ec5491 · 7ec5491
1 parent 0924351
commit 7ec5491
Show file tree

Hide file tree

Showing 11 changed files with 19 additions and 2 deletions.
diff --git a/api/app/settings/common.py b/api/app/settings/common.py
@@ -878,6 +878,8 @@
 SENTRY_API_KEY = env("SENTRY_API_KEY", default=None)
 AMPLITUDE_API_KEY = env("AMPLITUDE_API_KEY", default=None)
 ENABLE_FLAGSMITH_REALTIME = env.bool("ENABLE_FLAGSMITH_REALTIME", default=False)
+USE_SECURE_COOKIES = env.bool("USE_SECURE_COOKIES", default=True)
+COOKIE_SAME_SITE = env.str("COOKIE_SAME_SITE", default="none")
 
 # Set this to enable create organisation for only superusers
 RESTRICT_ORG_CREATE_TO_SUPERUSERS = env.bool("RESTRICT_ORG_CREATE_TO_SUPERUSERS", False)

diff --git a/api/app/views.py b/api/app/views.py
@@ -53,6 +53,8 @@ def project_overrides(request):
         "preventEmailPassword": "PREVENT_EMAIL_PASSWORD",
         "preventSignup": "PREVENT_SIGNUP",
         "sentry": "SENTRY_API_KEY",
+        "useSecureCookies": "USE_SECURE_COOKIES",
+        "cookieSameSite": "COOKIE_SAME_SITE",
     }
 
     override_data = {

diff --git a/docs/docs/deployment/hosting/locally-frontend.md b/docs/docs/deployment/hosting/locally-frontend.md
@@ -95,6 +95,11 @@ Current variables used between 'frontend/environment.js' and 'frontend/common/pr
 - `STATIC_ASSET_CDN_URL`: Used for replacing local static paths with a cdn, .e.g https://cdn.flagsmith.com. Defaults to
   `/`, i.e. no CDN.
 - `BASE_URL`: Used for specifying a base url path that's ignored during routing if serving from a subdirectory.
+- `USE_SECURE_COOKIES`: Enable / disable the use of secure cookies. If deploying the FE in a private network without a
+  domain / SSL cert, disable secure cookies to ensure that session token is persisted. Default: true.
+- `COOKIE_SAME_SITE`: Define the value of the samesite attribute for the session token cookie set by the frontend.
+  Further reading on this value is available [here](https://web.dev/articles/samesite-cookies-explained). Default:
+  'none'.
 
 ## E2E testing
 

diff --git a/frontend/api/index.js b/frontend/api/index.js
@@ -113,6 +113,8 @@ app.get('/config/project-overrides', (req, res) => {
       value: envToBool('DISABLE_INVITE_LINKS', false),
     },
     { name: 'albacross', value: process.env.ALBACROSS_CLIENT_ID },
+    {name: 'useSecureCookies', value: envToBool('USE_SECURE_COOKIES', true)},
+    {name: 'cookieSameSite', value: process.env.USE_SECURE_COOKIES}
   ]
   let output = values.map(getVariable).join('')
   let dynatrace = ''

diff --git a/frontend/env/project_dev.js b/frontend/env/project_dev.js
@@ -16,5 +16,6 @@ module.exports = global.Project = {
   flagsmithClientEdgeAPI: 'https://edge.bullet-train-staging.win/api/v1/',
   // This is used for Sentry tracking
   maintenance: false,
+  useSecureCookies: true,
   ...(globalThis.projectOverrides || {}),
 }
diff --git a/frontend/env/project_e2e.js b/frontend/env/project_e2e.js
@@ -18,5 +18,6 @@ module.exports = global.Project = {
   flagsmithClientEdgeAPI: 'https://edge.api.flagsmith.com/api/v1/',
   // This is used for Sentry tracking
   maintenance: false,
+  useSecureCookies: true,
   ...(globalThis.projectOverrides || {}),
 }
diff --git a/frontend/env/project_local.js b/frontend/env/project_local.js
@@ -16,5 +16,6 @@ module.exports = global.Project = {
   flagsmithClientEdgeAPI: 'https://edge.api.flagsmith.com/api/v1/',
   // This is used for Sentry tracking
   maintenance: false,
+  useSecureCookies: false,
   ...(globalThis.projectOverrides || {}),
 }
diff --git a/frontend/env/project_prod.js b/frontend/env/project_prod.js
@@ -22,5 +22,6 @@ module.exports = global.Project = {
   flagsmithClientEdgeAPI: 'https://edge.api.flagsmith.com/api/v1/',
   // This is used for Sentry tracking
   maintenance: false,
+  useSecureCookies: true,
   ...(globalThis.projectOverrides || {}),
 }
diff --git a/frontend/env/project_selfhosted.js b/frontend/env/project_selfhosted.js
@@ -8,5 +8,6 @@ module.exports = global.Project = {
 
   // This is used for Sentry tracking
   maintenance: false,
+  useSecureCookies: true,
   ...(globalThis.projectOverrides || {}),
 }
diff --git a/frontend/env/project_staging.js b/frontend/env/project_staging.js
@@ -16,5 +16,6 @@ module.exports = global.Project = {
   flagsmithClientEdgeAPI: 'https://edge.bullet-train-staging.win/api/v1/',
   // This is used for Sentry tracking
   maintenance: false,
+  useSecureCookies: true,
   ...(globalThis.projectOverrides || {}),
 }
diff --git a/frontend/web/project/api.js b/frontend/web/project/api.js
@@ -237,8 +237,8 @@ global.API = {
           require('js-cookie').set(key, v, {
             expires: 30,
             path: '/',
-            sameSite: 'none',
-            secure: true,
+            sameSite: Project.cookieSameSite || 'none',
+            secure: Project.useSecureCookies,
           })
         }
       }