sholladay / pogo

Server framework for Deno
Mozilla Public License 2.0
482 stars 33 forks source link

Disable secure cookies #55

Closed Muha0644 closed 3 years ago

Muha0644 commented 4 years ago

The request.response.state() has no way to make the secure flag false. I know it's kind of stupid to send cookies unencrypted, but it's useful for debugging and for non-password related data.

https://github.com/sholladay/pogo/blob/master/lib/response.ts#L92 - there is no way to change this line to false, meaning that browsers will automatically reject the cookie if not using SSL.

sholladay commented 4 years ago

Yeah, that was on purpose. I want to make it really hard for Pogo apps to have security mistakes.

I might be willing to add an option for this. The thing is, it is really easy to add SSL to your localhost these days. Is that your use case? It used to be a huge pain but now there are lots of automated tools and beginner friendly tutorials.

Muha0644 commented 4 years ago

From what I've seen, you normally have to renew the free SSL certs every three months, and that's a real hassle. It's great that Pogo is secure by default, but it sucks that i have to use Deno's setCookie() instead of the much more elegant response.state().

The problem is also that every browser will automatically reject loading the site for self-signed certs and I don't think anyone that has access to my private network is smart enough to sniff packets, or make use of them. It's an extremely stupid idea to send authentication cookies unencrypted, but if it's just preferences or settings it won't matter much if they get leaked.

sholladay commented 4 years ago

The problem is also that every browser will automatically reject loading the site for self-signed certs

This shouldn't happen if you follow the instructions I linked to above. devcert, for example, creates a certificate authority for you (which can easily renew certificates, btw), and then it adds the CA to your operating system's trust store. So the certificate is fully trusted just like any other and no warnings should appear.

sholladay commented 3 years ago

Good news... while I was on the fence about this for a while, in the end I decided to let users override all of the default cookie options. I think I momentarily forgot about that when I wrote the above comment. 😄

You can indeed set secure: false. Here is an example of how to do it...

import pogo from 'https://deno.land/x/pogo/main.ts';

const server = pogo.server({ port : 3000 });

server.router.get('/', (request, h) => {
    return h.response('nom nom').state('somename', {
        secure : false,
        value  : 'somevalue'
    });
});

server.start();

Let me know if you have any further questions or problems related to this.