From b1a2677b8c2f5cf43f3dcd12e02cf7804828555e Mon Sep 17 00:00:00 2001
From: Saad Jutt <ihsan.distranger@gmail.com>
Date: Mon, 10 Oct 2022 00:48:13 +0500
Subject: [PATCH] chore: specified domain for cookie for csrf as well

---
 api/src/routes/web/web.ts | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/api/src/routes/web/web.ts b/api/src/routes/web/web.ts
index 7b685a0..6db26ed 100644
--- a/api/src/routes/web/web.ts
+++ b/api/src/routes/web/web.ts
@@ -14,7 +14,10 @@ webRouter.get('/', async (req, res) => {
   } catch (_) {
     response = '<html><head></head><body>Web Build is not present</body></html>'
   } finally {
-    const codeToInject = `<script>document.cookie = 'XSRF-TOKEN=${generateCSRFToken()}; Max-Age=86400; SameSite=Strict; Path=/;'</script>`
+    const { ALLOWED_DOMAIN } = process.env
+    const allowedDomain = ALLOWED_DOMAIN?.trim()
+    const domain = allowedDomain ? ` Domain=${allowedDomain};` : ''
+    const codeToInject = `<script>document.cookie = 'XSRF-TOKEN=${generateCSRFToken()};${domain} Max-Age=86400; SameSite=Strict; Path=/;'</script>`
     const injectedContent = response?.replace(
       '</head>',
       `${codeToInject}</head>`