fix: use request.protocol to check for HTTPS (#238)

fastify · Mar 22, 2024 · 75b226c · 75b226c
1 parent 7587d08
commit 75b226c
Show file tree

Hide file tree

Showing 5 changed files with 6 additions and 17 deletions.
diff --git a/lib/cookie.js b/lib/cookie.js
@@ -1,7 +1,5 @@
 'use strict'
 
-const isConnectionSecure = require('./isConnectionSecure')
-
 module.exports = class Cookie {
   constructor (cookie, request) {
     const originalMaxAge = cookie.originalMaxAge || cookie.maxAge || null
@@ -23,7 +21,7 @@ module.exports = class Cookie {
     }
 
     if (this.secure === 'auto') {
-      if (isConnectionSecure(request)) {
+      if (request.protocol === 'https') {
         this.secure = true
       } else {
         this.sameSite = 'Lax'

diff --git a/lib/fastifySession.js b/lib/fastifySession.js
@@ -4,7 +4,6 @@ const fp = require('fastify-plugin')
 const idGenerator = require('./idGenerator')()
 const Store = require('./store')
 const Session = require('./session')
-const isConnectionSecure = require('./isConnectionSecure')
 
 function fastifySession (fastify, options, next) {
   const error = checkOptions(options)
@@ -166,7 +165,7 @@ function fastifySession (fastify, options, next) {
 
       const cookieSessionId = getCookieSessionId(request)
       const saveSession = shouldSaveSession(request, cookieSessionId, saveUninitializedSession, rollingSessions)
-      const isInsecureConnection = cookieOpts.secure === true && isConnectionSecure(request) === false
+      const isInsecureConnection = cookieOpts.secure === true && request.protocol !== 'https'
       const sessionIdWithPrefix = hasCookiePrefix ? `${cookiePrefix}${session.encryptedSessionId}` : session.encryptedSessionId
       if (!saveSession || isInsecureConnection) {
         // if a session cookie is set, but has a different ID, clear it

diff --git a/lib/isConnectionSecure.js b/lib/isConnectionSecure.js
diff --git a/test/cookie.test.js b/test/cookie.test.js
@@ -54,7 +54,7 @@ test('should not set session cookie is request is not secure', async (t) => {
 
 test('should not set session cookie is request is not secure and x-forwarded-proto != https', async (t) => {
   t.plan(2)
-  const fastify = Fastify()
+  const fastify = Fastify({ trustProxy: true })
   fastify.addHook('onRequest', async (request, reply) => {
     request.raw.socket.encrypted = false
   })
@@ -75,7 +75,7 @@ test('should not set session cookie is request is not secure and x-forwarded-pro
 
 test('should set session cookie is request is not secure and x-forwarded-proto = https', async (t) => {
   t.plan(2)
-  const fastify = Fastify()
+  const fastify = Fastify({ trustProxy: true })
   fastify.addHook('onRequest', async (request, reply) => {
     request.raw.socket.encrypted = false
   })
@@ -182,7 +182,7 @@ test('should set session cookie with sameSite', async (t) => {
 
 test('should set session another path in cookie', async (t) => {
   t.plan(2)
-  const fastify = Fastify()
+  const fastify = Fastify({ trustProxy: true })
 
   const options = {
     secret: DEFAULT_SECRET,

diff --git a/test/util.js b/test/util.js
@@ -13,7 +13,7 @@ const DEFAULT_COOKIE_VALUE = `sessionId=${DEFAULT_ENCRYPTED_SESSION_ID};`
 const DEFAULT_COOKIE = `${DEFAULT_COOKIE_VALUE}; Path=/; HttpOnly; Secure`
 
 async function buildFastify (handler, sessionOptions, plugin) {
-  const fastify = Fastify()
+  const fastify = Fastify({ trustProxy: true })
   await fastify.register(fastifyCookie)
   if (plugin) {
     await fastify.register(plugin)