Secure cookie flags + CSRF for our own POST forms (todo §4); SECURE_COOKIES toggle on session/CSRF cookies; csrf.ts signed double-submit token + body.ts form reader; logout is now a CSRF-guarded POST form

2026-06-18 11:12:32 +02:00
parent dec55f85a6
commit 4b2173cb84
21 changed files with 241 additions and 26 deletions
--- a/src/config.ts
+++ b/src/config.ts
@@ -20,6 +20,7 @@ export interface Config {
  kratosAdminUrl: string;
  kratosPublicUrl: string;
  port: number;
+  secureCookies: boolean;
 }

 type Env = Record<string, string | undefined>;
@@ -88,5 +89,7 @@ export function loadConfig(env: Env = process.env): Config {
    kratosAdminUrl: readUrl(env, "KRATOS_ADMIN_URL", "http://kratos:4434"),
    kratosPublicUrl: readUrl(env, "KRATOS_PUBLIC_URL", "http://kratos:4433"),
    port: readPort(env),
+    // Set Secure on our session/CSRF cookies. Off by default (dev runs http); prod (https) sets it.
+    secureCookies: readBool(env, "SECURE_COOKIES", false),
  };
 }