From e9a65bb6419efc90b7be493c975858120b721779 Mon Sep 17 00:00:00 2001
From: Simon Tagne <40598597+SimonTagne@users.noreply.github.com>
Date: Wed, 3 Aug 2022 18:34:16 +0200
Subject: [PATCH] fix: Add Secure and SameSite to authentication token

Cf. #275
---
 client/src/constants/Config.js           |  4 ++++
 client/src/utils/access-token-storage.js | 17 ++++++++++++++++-
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/client/src/constants/Config.js b/client/src/constants/Config.js
index 6b6ff98..3a84267 100755
--- a/client/src/constants/Config.js
+++ b/client/src/constants/Config.js
@@ -11,6 +11,8 @@ const FETCH_OPTIONS =
 
 const ACCESS_TOKEN_KEY = 'accessToken';
 const ACCESS_TOKEN_EXPIRES = 365;
+const ACCESS_TOKEN_VERSION_KEY = 'accessTokenVersion';
+const ACCESS_TOKEN_VERSION = '1';
 
 const POSITION_GAP = 65535;
 const ACTIVITIES_LIMIT = 50;
@@ -20,6 +22,8 @@ export default {
   FETCH_OPTIONS,
   ACCESS_TOKEN_KEY,
   ACCESS_TOKEN_EXPIRES,
+  ACCESS_TOKEN_VERSION_KEY,
+  ACCESS_TOKEN_VERSION,
   POSITION_GAP,
   ACTIVITIES_LIMIT,
 };
diff --git a/client/src/utils/access-token-storage.js b/client/src/utils/access-token-storage.js
index cde5b2e..a4f208c 100755
--- a/client/src/utils/access-token-storage.js
+++ b/client/src/utils/access-token-storage.js
@@ -5,10 +5,25 @@ import Config from '../constants/Config';
 export const setAccessToken = (accessToken) => {
   Cookies.set(Config.ACCESS_TOKEN_KEY, accessToken, {
     expires: Config.ACCESS_TOKEN_EXPIRES,
+    secure: window.location.protocol === 'https:',
+    sameSite: 'strict',
+  });
+  Cookies.set(Config.ACCESS_TOKEN_VERSION_KEY, Config.ACCESS_TOKEN_VERSION, {
+    expires: Config.ACCESS_TOKEN_EXPIRES,
   });
 };
 
-export const getAccessToken = () => Cookies.get(Config.ACCESS_TOKEN_KEY);
+export const getAccessToken = () => {
+  // TODO: remove migration
+  const accessToken = Cookies.get(Config.ACCESS_TOKEN_KEY);
+  const accessTokenVersion = Cookies.get(Config.ACCESS_TOKEN_VERSION_KEY);
+  if (accessToken && accessTokenVersion !== Config.ACCESS_TOKEN_VERSION) {
+    // Add secure and sameSite attributes to the cookie
+    setAccessToken(accessToken);
+  }
+
+  return accessToken;
+};
 
 export const removeAccessToken = () => {
   Cookies.remove(Config.ACCESS_TOKEN_KEY);