secureProxy option to be able to use with non-Express servers behind SSL proxy
PixelsCommander opened this issue · comments
Hi guys,
I am a user of BlitzJS which uses cookie-session but no actual Express. And I use it behind Nginx SSL proxy.
In order to use cookie-session behind SSL proxy ExpressJS trust proxy
feature should be set however for BlitzJS or NextJS frameworks that use cookies-session for authorization there is no trust proxy
.
We discussed the problem with BlitzJS author here and came to the conclusion that forcing secure
in cookies constructor (not when setting a cookie, but pass to new Cookies as an option) is a way to go in full accordance to the cookies package author recommendations for the case when SSL is not controlled by NodeJS https://github.com/pillarjs/cookies/blob/master/index.js#L102 https://www.npmjs.com/package/@xyezir/cookies#cookiesset-name--value---options--
I made a PR that adds secureProxy
option which is crucial for BlitzJS/NextJS users who use cookie-session and want to run an app behind SSL proxy.
Please suggest if this is the best approach to the problem or you see a better one.
Hi @PixelsCommander ! To start out with, this is an ExpressJS middleware, made for ExpressJS :) It is even one of the "official" modules within our organization -- this is to state that, though you may be able to use it with other frameworks, that is sort of a "buyer beware" situation, as it is made for, designed for, and tested for use with ExpressJS.
That context aside, a framework does not need to implement a "trust proxy" setting, it simply needs to indicate if the request is secure or not, by having req.protocol === 'https'
(see https://github.com/pillarjs/cookies#secure-cookies).