add secure middleware checks

2025-01-23 16:33:33 -07:00 · 2025-01-23 16:33:33 -07:00 · 15e515720f
parent d315d6f410
commit 15e515720f
5 changed files with 23 additions and 8 deletions
--- a/web/src/app/app/_components/Lists/FavoriteStar.tsx
+++ b/web/src/app/app/_components/Lists/FavoriteStar.tsx
@ -68,7 +68,9 @@ export const FavoriteStar: React.FC<{
        classNames={{
          icon: '!text-inherit !mt-[-2px]'
        }}
-        className={cx(className, 'flex', styles.icon, iconStyle, { 'is-favorited': isFavorited })}
+        className={cx(className, 'flex', styles.icon, iconStyle, {
+          'is-favorited opacity-100': isFavorited
+        })}
        onClick={onFavoriteClick}
        type="text"
        icon={<AppMaterialIcons icon="star" fill={isFavorited} />}
--- a/web/src/app/app/metrics/_ThreadListContainer/_ThreadItemsContainer.tsx
+++ b/web/src/app/app/metrics/_ThreadListContainer/_ThreadItemsContainer.tsx
@ -241,14 +241,13 @@ const TitleCell = React.memo<{ title: string; status: BusterVerificationStatus;
          <StatusBadgeIndicator status={status} />
        </div>
        <Text ellipsis={true}>{title}</Text>
-        <div
-          className="flex items-center opacity-0 group-hover:opacity-100"
-          onClick={onFavoriteDivClick}>
+        <div className="flex items-center" onClick={onFavoriteDivClick}>
          <FavoriteStar
            id={threadId}
            type={BusterShareAssetType.THREAD}
            iconStyle="tertiary"
            name={title}
+            className="opacity-0 group-hover:opacity-100"
          />
        </div>
      </div>
--- a/web/src/components/layout/AppSplitter/AppSplitter.tsx
+++ b/web/src/components/layout/AppSplitter/AppSplitter.tsx
@ -3,7 +3,7 @@
 import { useMemoizedFn } from 'ahooks';
 import React, { useEffect, useMemo, useState, forwardRef, useImperativeHandle } from 'react';
 import SplitPane, { Pane } from './SplitPane';
-import { createAutoSaveId } from './helper';
+import { createAutoSaveId, setAppSplitterCookie } from './helper';
 import Cookies from 'js-cookie';
 import { createStyles } from 'antd-style';

@ -101,7 +101,7 @@ export const AppSplitter = forwardRef<
      setSizes(sizes);
      const key = createAutoSaveId(autoSaveId);
      const sizesString = preserveSide === 'left' ? [sizes[0], 'auto'] : ['auto', sizes[1]];
-      Cookies.set(key, JSON.stringify(sizesString), { expires: 365 });
+      setAppSplitterCookie(key, sizesString);
    });

    const onPreserveSide = useMemoizedFn(() => {
@ -130,7 +130,7 @@ export const AppSplitter = forwardRef<
          const key = createAutoSaveId(autoSaveId);
          const sizesString =
            preserveSide === 'left' ? [newSizes[0], 'auto'] : ['auto', newSizes[1]];
-          Cookies.set(key, JSON.stringify(sizesString), { expires: 365 });
+          setAppSplitterCookie(key, sizesString);
        }
      }
    }));
--- a/web/src/components/layout/AppSplitter/helper.ts
+++ b/web/src/components/layout/AppSplitter/helper.ts
@ -1 +1,11 @@
 export const createAutoSaveId = (id: string) => `app-splitter-${id}`;
+
+import Cookies from 'js-cookie';
+
+export const setAppSplitterCookie = (key: string, value: any) => {
+  Cookies.set(key, JSON.stringify(value), {
+    expires: 365,
+    secure: true,
+    sameSite: 'strict'
+  });
+};
--- a/web/src/middleware.ts
+++ b/web/src/middleware.ts
@ -9,7 +9,11 @@ export async function middleware(request: NextRequest) {

    const performUserCheck = !isPublicPage(request);
    supabaseResponse.headers.set('x-next-pathname', request.nextUrl.pathname);
-    supabaseResponse.cookies.set('x-next-pathname', request.nextUrl.pathname);
+    supabaseResponse.cookies.set('x-next-pathname', request.nextUrl.pathname, {
+      secure: true,
+      httpOnly: true,
+      sameSite: 'lax'
+    });

    if (performUserCheck && !user && !request.nextUrl.pathname.includes('/test/')) {
      return NextResponse.redirect(