chore(release): 0.23.3 [skip ci]

## [0.23.3](https://github.com/sasjs/server/compare/v0.23.2...v0.23.3) (2022-10-09)

### Bug Fixes

* added domain for session cookies ([94072c3](94072c3d24))

CHANGELOG.md

@@ -1,3 +1,10 @@
+## [0.23.3](https://github.com/sasjs/server/compare/v0.23.2...v0.23.3) (2022-10-09)
+
+
+### Bug Fixes
+
+* added domain for session cookies ([94072c3](https://github.com/sasjs/server/commit/94072c3d24a4d0d4c97900dc31bfbf1c9d2559b7))
+
 ## [0.23.2](https://github.com/sasjs/server/compare/v0.23.1...v0.23.2) (2022-10-06)
 
 

api/.env.example

@@ -1,5 +1,6 @@
 MODE=[desktop|server] default considered as desktop
 CORS=[disable|enable] default considered as disable for server MODE & enable for desktop MODE
+ALLOWED_DOMAIN=<just domain e.g. example.com >
 WHITELIST=<space separated urls, each starting with protocol `http` or `https`>
 
 PROTOCOL=[http|https] default considered as http

api/src/app-modules/configureExpressSession.ts

@@ -1,10 +1,9 @@
-import { Express } from 'express'
+import { Express, CookieOptions } from 'express'
 import mongoose from 'mongoose'
 import session from 'express-session'
 import MongoStore from 'connect-mongo'
 
-import { ModeType } from '../utils'
+import { ModeType, ProtocolType } from '../utils'
-import { cookieOptions } from '../app'
 
 export const configureExpressSession = (app: Express) => {
   const { MODE } = process.env
@@ -19,6 +18,15 @@ export const configureExpressSession = (app: Express) => {
       })
     }
 
+    const { PROTOCOL, ALLOWED_DOMAIN } = process.env
+    const cookieOptions: CookieOptions = {
+      secure: PROTOCOL === ProtocolType.HTTPS,
+      httpOnly: true,
+      sameSite: PROTOCOL === ProtocolType.HTTPS ? 'none' : undefined,
+      maxAge: 24 * 60 * 60 * 1000, // 24 hours
+      domain: ALLOWED_DOMAIN?.trim() || undefined
+    }
+
     app.use(
       session({
         secret: process.secrets.SESSION_SECRET,

api/src/app.ts

@@ -1,5 +1,5 @@
 import path from 'path'
-import express, { ErrorRequestHandler, CookieOptions } from 'express'
+import express, { ErrorRequestHandler } from 'express'
 import cookieParser from 'cookie-parser'
 import dotenv from 'dotenv'
 
@@ -8,7 +8,6 @@ import {
   getWebBuildFolder,
   instantiateLogger,
   loadAppStreamConfig,
-  ProtocolType,
   ReturnCode,
   setProcessVariables,
   setupFolders,
@@ -29,15 +28,6 @@ if (verifyEnvVariables()) process.exit(ReturnCode.InvalidEnv)
 
 const app = express()
 
-const { PROTOCOL } = process.env
-
-export const cookieOptions: CookieOptions = {
-  secure: PROTOCOL === ProtocolType.HTTPS,
-  httpOnly: true,
-  sameSite: PROTOCOL === ProtocolType.HTTPS ? 'none' : undefined,
-  maxAge: 24 * 60 * 60 * 1000 // 24 hours
-}
-
 const onError: ErrorRequestHandler = (err, req, res, next) => {
   console.error(err.stack)
   res.status(500).send('Something broke!')

api/src/routes/web/web.ts

@@ -14,7 +14,10 @@ webRouter.get('/', async (req, res) => {
   } catch (_) {
     response = '<html><head></head><body>Web Build is not present</body></html>'
   } finally {
-    const codeToInject = `<script>document.cookie = 'XSRF-TOKEN=${generateCSRFToken()}; Max-Age=86400; SameSite=Strict; Path=/;'</script>`
+    const { ALLOWED_DOMAIN } = process.env
+    const allowedDomain = ALLOWED_DOMAIN?.trim()
+    const domain = allowedDomain ? ` Domain=${allowedDomain};` : ''
+    const codeToInject = `<script>document.cookie = 'XSRF-TOKEN=${generateCSRFToken()};${domain} Max-Age=86400; SameSite=Strict; Path=/;'</script>`
     const injectedContent = response?.replace(
       '</head>',
       `${codeToInject}</head>`

api/src/utils/verifyEnvVariables.ts

@@ -267,7 +267,7 @@ const verifyRUN_TIMES = (): string[] => {
   return errors
 }
 
-const verifyExecutablePaths = () => {
+const verifyExecutablePaths = (): string[] => {
   const errors: string[] = []
   const { RUN_TIMES, SAS_PATH, NODE_PATH, PYTHON_PATH, R_PATH, MODE } =
     process.env