From 15e515720f8c5551815c8d8883d62b3e200d095e Mon Sep 17 00:00:00 2001
From: Nate Kelley <nate@buster.so>
Date: Thu, 23 Jan 2025 16:33:33 -0700
Subject: [PATCH] add secure middleware checks

---
 web/src/app/app/_components/Lists/FavoriteStar.tsx     |  4 +++-
 .../_ThreadListContainer/_ThreadItemsContainer.tsx     |  5 ++---
 web/src/components/layout/AppSplitter/AppSplitter.tsx  |  6 +++---
 web/src/components/layout/AppSplitter/helper.ts        | 10 ++++++++++
 web/src/middleware.ts                                  |  6 +++++-
 5 files changed, 23 insertions(+), 8 deletions(-)

diff --git a/web/src/app/app/_components/Lists/FavoriteStar.tsx b/web/src/app/app/_components/Lists/FavoriteStar.tsx
index 97fd3043e..23747047f 100644
--- a/web/src/app/app/_components/Lists/FavoriteStar.tsx
+++ b/web/src/app/app/_components/Lists/FavoriteStar.tsx
@@ -68,7 +68,9 @@ export const FavoriteStar: React.FC<{
         classNames={{
           icon: '!text-inherit !mt-[-2px]'
         }}
-        className={cx(className, 'flex', styles.icon, iconStyle, { 'is-favorited': isFavorited })}
+        className={cx(className, 'flex', styles.icon, iconStyle, {
+          'is-favorited opacity-100': isFavorited
+        })}
         onClick={onFavoriteClick}
         type="text"
         icon={<AppMaterialIcons icon="star" fill={isFavorited} />}
diff --git a/web/src/app/app/metrics/_ThreadListContainer/_ThreadItemsContainer.tsx b/web/src/app/app/metrics/_ThreadListContainer/_ThreadItemsContainer.tsx
index 0954bd013..34d00d7da 100644
--- a/web/src/app/app/metrics/_ThreadListContainer/_ThreadItemsContainer.tsx
+++ b/web/src/app/app/metrics/_ThreadListContainer/_ThreadItemsContainer.tsx
@@ -241,14 +241,13 @@ const TitleCell = React.memo<{ title: string; status: BusterVerificationStatus;
           <StatusBadgeIndicator status={status} />
         </div>
         <Text ellipsis={true}>{title}</Text>
-        <div
-          className="flex items-center opacity-0 group-hover:opacity-100"
-          onClick={onFavoriteDivClick}>
+        <div className="flex items-center" onClick={onFavoriteDivClick}>
           <FavoriteStar
             id={threadId}
             type={BusterShareAssetType.THREAD}
             iconStyle="tertiary"
             name={title}
+            className="opacity-0 group-hover:opacity-100"
           />
         </div>
       </div>
diff --git a/web/src/components/layout/AppSplitter/AppSplitter.tsx b/web/src/components/layout/AppSplitter/AppSplitter.tsx
index 87a09c79c..b4ad3dd3e 100644
--- a/web/src/components/layout/AppSplitter/AppSplitter.tsx
+++ b/web/src/components/layout/AppSplitter/AppSplitter.tsx
@@ -3,7 +3,7 @@
 import { useMemoizedFn } from 'ahooks';
 import React, { useEffect, useMemo, useState, forwardRef, useImperativeHandle } from 'react';
 import SplitPane, { Pane } from './SplitPane';
-import { createAutoSaveId } from './helper';
+import { createAutoSaveId, setAppSplitterCookie } from './helper';
 import Cookies from 'js-cookie';
 import { createStyles } from 'antd-style';
 
@@ -101,7 +101,7 @@ export const AppSplitter = forwardRef<
       setSizes(sizes);
       const key = createAutoSaveId(autoSaveId);
       const sizesString = preserveSide === 'left' ? [sizes[0], 'auto'] : ['auto', sizes[1]];
-      Cookies.set(key, JSON.stringify(sizesString), { expires: 365 });
+      setAppSplitterCookie(key, sizesString);
     });
 
     const onPreserveSide = useMemoizedFn(() => {
@@ -130,7 +130,7 @@ export const AppSplitter = forwardRef<
           const key = createAutoSaveId(autoSaveId);
           const sizesString =
             preserveSide === 'left' ? [newSizes[0], 'auto'] : ['auto', newSizes[1]];
-          Cookies.set(key, JSON.stringify(sizesString), { expires: 365 });
+          setAppSplitterCookie(key, sizesString);
         }
       }
     }));
diff --git a/web/src/components/layout/AppSplitter/helper.ts b/web/src/components/layout/AppSplitter/helper.ts
index 86f688f30..116a637c4 100644
--- a/web/src/components/layout/AppSplitter/helper.ts
+++ b/web/src/components/layout/AppSplitter/helper.ts
@@ -1 +1,11 @@
 export const createAutoSaveId = (id: string) => `app-splitter-${id}`;
+
+import Cookies from 'js-cookie';
+
+export const setAppSplitterCookie = (key: string, value: any) => {
+  Cookies.set(key, JSON.stringify(value), {
+    expires: 365,
+    secure: true,
+    sameSite: 'strict'
+  });
+};
diff --git a/web/src/middleware.ts b/web/src/middleware.ts
index 93e364cec..da2ea8aa6 100644
--- a/web/src/middleware.ts
+++ b/web/src/middleware.ts
@@ -9,7 +9,11 @@ export async function middleware(request: NextRequest) {
 
     const performUserCheck = !isPublicPage(request);
     supabaseResponse.headers.set('x-next-pathname', request.nextUrl.pathname);
-    supabaseResponse.cookies.set('x-next-pathname', request.nextUrl.pathname);
+    supabaseResponse.cookies.set('x-next-pathname', request.nextUrl.pathname, {
+      secure: true,
+      httpOnly: true,
+      sameSite: 'lax'
+    });
 
     if (performUserCheck && !user && !request.nextUrl.pathname.includes('/test/')) {
       return NextResponse.redirect(