From 77f8d30baf9b1077279c29f1c3e5ca02a5436bc0 Mon Sep 17 00:00:00 2001
From: Saad Jutt <ihsan.distranger@gmail.com>
Date: Wed, 3 Aug 2022 03:38:11 +0500
Subject: [PATCH 1/5] fix(cookie): XSRF cookie is removed and passed token in
 head section

---
 api/src/app.ts                 |  5 +++--
 api/src/routes/web/web.ts      | 10 +++++++---
 web/src/context/appContext.tsx | 13 ++++++++++++-
 3 files changed, 22 insertions(+), 6 deletions(-)

diff --git a/api/src/app.ts b/api/src/app.ts
index cab4690..a2bfdf9 100644
--- a/api/src/app.ts
+++ b/api/src/app.ts
@@ -1,6 +1,6 @@
 import path from 'path'
 import express, { ErrorRequestHandler } from 'express'
-import csrf from 'csurf'
+import csrf, { CookieOptions } from 'csurf'
 import cookieParser from 'cookie-parser'
 import dotenv from 'dotenv'
 
@@ -32,9 +32,10 @@ const app = express()
 
 const { PROTOCOL } = process.env
 
-export const cookieOptions = {
+export const cookieOptions: CookieOptions = {
   secure: PROTOCOL === ProtocolType.HTTPS,
   httpOnly: true,
+  sameSite: PROTOCOL === ProtocolType.HTTPS ? 'none' : undefined,
   maxAge: 24 * 60 * 60 * 1000 // 24 hours
 }
 
diff --git a/api/src/routes/web/web.ts b/api/src/routes/web/web.ts
index 0cd9283..03510b5 100644
--- a/api/src/routes/web/web.ts
+++ b/api/src/routes/web/web.ts
@@ -11,11 +11,15 @@ webRouter.get('/', async (req, res) => {
   try {
     response = await controller.home()
   } catch (_) {
-    response = 'Web Build is not present'
+    response = '<html><head></head><body>Web Build is not present</body></html>'
   } finally {
-    res.cookie('XSRF-TOKEN', req.csrfToken())
+    const codeToInject = `<script>document.cookie = 'XSRF-TOKEN=${req.csrfToken()}; Max-Age=86400; SameSite=Strict; Path=/;'</script>`
+    const injectedContent = response?.replace(
+      '</head>',
+      `${codeToInject}</head>`
+    )
 
-    return res.send(response)
+    return res.send(injectedContent)
   }
 })
 
diff --git a/web/src/context/appContext.tsx b/web/src/context/appContext.tsx
index 4802a57..258c9ef 100644
--- a/web/src/context/appContext.tsx
+++ b/web/src/context/appContext.tsx
@@ -80,7 +80,18 @@ const AppContextProvider = (props: { children: ReactNode }) => {
       })
       .catch(() => {
         setLoggedIn(false)
-        axios.get('/') // get CSRF TOKEN
+        // get CSRF TOKEN and set cookie
+        axios
+          .get('/')
+          .then((res) => res.data)
+          .then((data: string) => {
+            const result =
+              /<script>document.cookie = '(XSRF-TOKEN=[A-Za-z-0-9; =/]*)'<\/script>/.exec(
+                data
+              )?.[1]
+
+            if (result) document.cookie = result
+          })
       })
 
     axios

From 87c03c5f8dbdfc151d4ff3722ecbcd3f7e409aea Mon Sep 17 00:00:00 2001
From: Saad Jutt <ihsan.distranger@gmail.com>
Date: Thu, 4 Aug 2022 03:03:27 +0500
Subject: [PATCH 2/5] fix(apps): App Stream logo fix

---
 api/src/routes/appStream/style.ts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/api/src/routes/appStream/style.ts b/api/src/routes/appStream/style.ts
index d7be3d5..a388b98 100644
--- a/api/src/routes/appStream/style.ts
+++ b/api/src/routes/appStream/style.ts
@@ -26,6 +26,7 @@ export const style = `<style>
 }
 .app-container .app img{
   width: 100%;
+  height: calc(100% - 30px);
   margin-bottom: 10px;
   border-radius: 10px;
 }

From 5966016853369146b27ac5781808cb51d65c887f Mon Sep 17 00:00:00 2001
From: Saad Jutt <ihsan.distranger@gmail.com>
Date: Thu, 4 Aug 2022 03:32:04 +0500
Subject: [PATCH 3/5] fix(env): check added for not providing WHITELIST

---
 api/src/utils/verifyEnvVariables.ts | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/api/src/utils/verifyEnvVariables.ts b/api/src/utils/verifyEnvVariables.ts
index 84aa607..b0a40b2 100644
--- a/api/src/utils/verifyEnvVariables.ts
+++ b/api/src/utils/verifyEnvVariables.ts
@@ -125,8 +125,27 @@ const verifyCORS = (): string[] => {
 
   if (CORS) {
     const corsTypes = Object.values(CorsType)
+
     if (!corsTypes.includes(CORS as CorsType))
       errors.push(`- CORS '${CORS}'\n - valid options ${corsTypes}`)
+
+    if (CORS === CorsType.ENABLED) {
+      const { WHITELIST } = process.env
+
+      const urls = WHITELIST?.trim()
+        .split(' ')
+        .filter((url) => !!url)
+      if (urls?.length) {
+        urls.forEach((url) => {
+          if (!url.startsWith('http://') && !url.startsWith('https://'))
+            errors.push(
+              `- CORS '${CORS}'\n - provided WHITELIST ${url} is not valid`
+            )
+        })
+      } else {
+        errors.push(`- CORS '${CORS}'\n - provide at least one WHITELIST URL`)
+      }
+    }
   } else {
     const { MODE } = process.env
     process.env.CORS =

From 18052fdbf63db8fe637cb5bcd5b0fc0a26aa368a Mon Sep 17 00:00:00 2001
From: Saad Jutt <ihsan.distranger@gmail.com>
Date: Thu, 4 Aug 2022 04:01:51 +0500
Subject: [PATCH 4/5] test: fixed failed specs

---
 api/src/routes/api/spec/web.spec.ts | 23 +++++++++++------------
 web/src/context/appContext.tsx      |  2 +-
 2 files changed, 12 insertions(+), 13 deletions(-)

diff --git a/api/src/routes/api/spec/web.spec.ts b/api/src/routes/api/spec/web.spec.ts
index 45b07f1..12bc4db 100644
--- a/api/src/routes/api/spec/web.spec.ts
+++ b/api/src/routes/api/spec/web.spec.ts
@@ -39,12 +39,11 @@ describe('web', () => {
 
   describe('home', () => {
     it('should respond with CSRF Token', async () => {
-      await request(app)
-        .get('/')
-        .expect(
-          'set-cookie',
-          /_csrf=.*; Max-Age=86400000; Path=\/; HttpOnly,XSRF-TOKEN=.*; Path=\//
-        )
+      const res = await request(app).get('/').expect(200)
+
+      expect(res.text).toMatch(
+        /<script>document.cookie = '(XSRF-TOKEN=.*; Max-Age=86400; SameSite=Strict; Path=\/;)'<\/script>/
+      )
     })
   })
 
@@ -154,10 +153,10 @@ describe('web', () => {
 
 const getCSRF = async (app: Express) => {
   // make request to get CSRF
-  const { header } = await request(app).get('/')
+  const { header, text } = await request(app).get('/')
   const cookies = header['set-cookie'].join()
 
-  const csrfToken = extractCSRF(cookies)
+  const csrfToken = extractCSRF(text)
   return { csrfToken, cookies }
 }
 
@@ -177,7 +176,7 @@ const performLogin = async (
   return { cookies: newCookies }
 }
 
-const extractCSRF = (cookies: string) =>
-  /_csrf=(.*); Max-Age=86400000; Path=\/; HttpOnly,XSRF-TOKEN=(.*); Path=\//.exec(
-    cookies
-  )![2]
+const extractCSRF = (text: string) =>
+  /<script>document.cookie = 'XSRF-TOKEN=(.*); Max-Age=86400; SameSite=Strict; Path=\/;'<\/script>/.exec(
+    text
+  )![1]
diff --git a/web/src/context/appContext.tsx b/web/src/context/appContext.tsx
index 258c9ef..dee793e 100644
--- a/web/src/context/appContext.tsx
+++ b/web/src/context/appContext.tsx
@@ -86,7 +86,7 @@ const AppContextProvider = (props: { children: ReactNode }) => {
           .then((res) => res.data)
           .then((data: string) => {
             const result =
-              /<script>document.cookie = '(XSRF-TOKEN=[A-Za-z-0-9; =/]*)'<\/script>/.exec(
+              /<script>document.cookie = '(XSRF-TOKEN=.*; Max-Age=86400; SameSite=Strict; Path=\/;)'<\/script>/.exec(
                 data
               )?.[1]
 

From f7fcc7741aa2af93a4a2b1e651003704c9bbff0c Mon Sep 17 00:00:00 2001
From: Saad Jutt <ihsan.distranger@gmail.com>
Date: Thu, 4 Aug 2022 05:39:28 +0500
Subject: [PATCH 5/5] fix(web): show login on logged-out state

---
 web/src/App.tsx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/web/src/App.tsx b/web/src/App.tsx
index 39c11cf..e0a7d3e 100644
--- a/web/src/App.tsx
+++ b/web/src/App.tsx
@@ -22,7 +22,7 @@ function App() {
         <HashRouter>
           <Header />
           <Routes>
-            <Route path="/" element={<Login />} />
+            <Route path="*" element={<Login />} />
           </Routes>
         </HashRouter>
       </ThemeProvider>