(req: express.Request)
| 300 | * setting and unsetting cookies otherwise they are considered separate. |
| 301 | */ |
| 302 | export const getCookieOptions = (req: express.Request): express.CookieOptions => { |
| 303 | // Normally we set paths relatively. However browsers do not appear to allow |
| 304 | // cookies to be set relatively which means we need an absolute path. We |
| 305 | // cannot be guaranteed we know the path since a reverse proxy might have |
| 306 | // rewritten it. That means we need to get the path from the frontend. |
| 307 | |
| 308 | // The reason we need to set the path (as opposed to defaulting to /) is to |
| 309 | // avoid code-server instances on different sub-paths clobbering each other or |
| 310 | // from accessing each other's tokens (and to prevent other services from |
| 311 | // accessing code-server's tokens). |
| 312 | |
| 313 | // When logging in or out the request must include the href (the full current |
| 314 | // URL of that page) and the relative path to the root as given to it by the |
| 315 | // backend. Using these two we can determine the true absolute root. |
| 316 | const url = new URL( |
| 317 | req.query.base || req.body?.base || "/", |
| 318 | req.query.href || req.body?.href || "http://" + (req.headers.host || "localhost"), |
| 319 | ) |
| 320 | return { |
| 321 | domain: getCookieDomain(url.host, req.args["proxy-domain"]), |
| 322 | path: normalize(url.pathname) || "/", |
| 323 | sameSite: "lax", |
| 324 | } |
| 325 | } |
| 326 | |
| 327 | /** |
| 328 | * Return the full path to the current page, preserving any trailing slash. |
no test coverage detected