search

getodk / aggregate

ODK Aggregate is a Java server that stores, analyzes, and presents survey data collected using ODK Collect. Contribute and make the world a better place! ✨🗄✨
https://docs.opendatakit.org/aggregate-intro/
Other
74 stars 228 forks source link

Making Cookies HTTPOnly #502

Open ChakshuGautam opened 3 years ago

ChakshuGautam commented 3 years ago

Software and hardware versions

macOS Docker Compose, Aggregate v2.0.5 [Self built WAR] behind NGINX reverse proxy

Problem description

Trying to make cookies secure by

proxy_cookie_path / "/; HTTPOnly; Secure"; But I see that HTTPOnly cannot be enabled due to doc.cookie API being used internally to cache.

Found the context.xml file which explicitly does not allow this. Is there a specific reason?

<Context useHttpOnly="false">
  <JarScanner>
    <JarScanFilter pluggabilitySkip="*" tldSkip="*" />
  </JarScanner>
</Context>
lognaturel commented 3 years ago

Please note that the recommended ODK server is now ODK Central and the core ODK team no longer maintains Aggregate.

Have you tried changing that setting in https://github.com/getodk/aggregate/blob/bad45279a5ca96619e87ad4a14448fe70b62e227/src/main/webapp/META-INF/context.xml#L1? I don’t know what its history is.

ChakshuGautam commented 3 years ago

Yes. The generated cache.js just stops working altogether. Not sure why. It has references to doc.cookie API which is disabled when we use HttpOnly=true.

ChakshuGautam commented 3 years ago

One of the reasons why we are not able to use ODK Central is webhooks. We have built a pipeline around webhooks which is still not supported by Central.

lognaturel commented 3 years ago

I would recommend searching the forum for setups similar to yours or posting if you don't find anything useful.

We have built a pipeline around webhooks

It would be helpful to know more about your workflow. We've discussed some possibilities in this area but will need to have more user input before we build anything.