fix: Add Secure and SameSite to authentication token

Cf. #275

client/src/constants/Config.js

@@ -11,6 +11,8 @@ const FETCH_OPTIONS =
 
 const ACCESS_TOKEN_KEY = 'accessToken';
 const ACCESS_TOKEN_EXPIRES = 365;
+const ACCESS_TOKEN_VERSION_KEY = 'accessTokenVersion';
+const ACCESS_TOKEN_VERSION = '1';
 
 const POSITION_GAP = 65535;
 const ACTIVITIES_LIMIT = 50;
@@ -20,6 +22,8 @@ export default {
   FETCH_OPTIONS,
   ACCESS_TOKEN_KEY,
   ACCESS_TOKEN_EXPIRES,
+  ACCESS_TOKEN_VERSION_KEY,
+  ACCESS_TOKEN_VERSION,
   POSITION_GAP,
   ACTIVITIES_LIMIT,
 };

client/src/utils/access-token-storage.js

@@ -5,10 +5,25 @@ import Config from '../constants/Config';
 export const setAccessToken = (accessToken) => {
   Cookies.set(Config.ACCESS_TOKEN_KEY, accessToken, {
     expires: Config.ACCESS_TOKEN_EXPIRES,
+    secure: window.location.protocol === 'https:',
+    sameSite: 'strict',
+  });
+  Cookies.set(Config.ACCESS_TOKEN_VERSION_KEY, Config.ACCESS_TOKEN_VERSION, {
+    expires: Config.ACCESS_TOKEN_EXPIRES,
   });
 };
 
-export const getAccessToken = () => Cookies.get(Config.ACCESS_TOKEN_KEY);
+export const getAccessToken = () => {
+  // TODO: remove migration
+  const accessToken = Cookies.get(Config.ACCESS_TOKEN_KEY);
+  const accessTokenVersion = Cookies.get(Config.ACCESS_TOKEN_VERSION_KEY);
+  if (accessToken && accessTokenVersion !== Config.ACCESS_TOKEN_VERSION) {
+    // Add secure and sameSite attributes to the cookie
+    setAccessToken(accessToken);
+  }
+
+  return accessToken;
+};
 
 export const removeAccessToken = () => {
   Cookies.remove(Config.ACCESS_TOKEN_KEY);