refactor: cleanup consent code

ory · Sep 15, 2023 · 5934457 · 5934457
1 parent c7410bf
commit 5934457
Show file tree

Hide file tree

Showing 7 changed files with 152 additions and 123 deletions.
diff --git a/README.md b/README.md
@@ -38,15 +38,15 @@ Ory OAuth2 requires more setup to get CSRF cookies on the `/consent` endpoint.
   `hydra-admin.svc.cluster.local`)
 - `COOKIE_SECRET` (required): Required for signing cookies. Must be a string
   with at least 8 alphanumerical characters.
+- `CSRF_COOKIE_NAME` (required): Change the cookie name to match your domain
+  using the `__HOST-example.com-x-csrf-token` format.
 - `CSRF_COOKIE_SECRET` (optional): Required for the Consent route to set a CSRF
   cookie with a hashed value. The value must be a string with at least 8
   alphanumerical characters.
 - `REMEMBER_CONSENT_SESSION_FOR_SECONDS` (optional): Sets the `remember_for`
   value of the accept consent request in seconds. The default is 3600 seconds.
 - `ORY_ADMIN_API_TOKEN` (optional): When using with an Ory Network project, you
   should add the `ORY_ADMIN_API_TOKEN` for OAuth2 Consent flows.
-- `CSRF_COOKIE_NAME` (optional): By default the CSRF cookie will be set to
-  `__Host-ax-x-csrf-token`.
 - `DANGEROUSLY_DISABLE_SECURE_CSRF_COOKIES` (optional) This environment
   variables should only be used in local development when you do not have HTTPS
   setup. This sets the CSRF cookies to `secure: false`, required for running

diff --git a/nodemon.json b/nodemon.json
@@ -3,6 +3,7 @@
   "ext": "ts",
   "exec": "ts-node ./src/index.ts",
   "env": {
+    "CSRF_COOKIE_NAME": "ax-csrf-cookie",
     "COOKIE_SECRET": "I_AM_VERY_SECRET",
     "CSRF_COOKIE_SECRET": "I_AM_VERY_SECRET_TOO",
     "DANGEROUSLY_DISABLE_SECURE_CSRF_COOKIES": "true",

diff --git a/src/index.ts b/src/index.ts
@@ -85,6 +85,7 @@ let listener = (proto: "http" | "https") => () => {
 if (
   (process.env.ORY_ADMIN_API_TOKEN &&
     String(process.env.COOKIE_SECRET || "").length < 8) ||
+  String(process.env.CSRF_COOKIE_NAME || "").length === 0 ||
   String(process.env.CSRF_COOKIE_SECRET || "").length < 8
 ) {
   console.error(
@@ -93,6 +94,9 @@ if (
   console.error(
     "COOKIE_SECRET must be set and be at least 8 alphanumerical character `export COOKIE_SECRET=...`",
   )
+  console.error(
+    "CSRF_COOKIE_NAME must be set! Prefix the name to scope it to your domain `__HOST-` `export CSRF_COOKIE_NAME=...`",
+  )
   console.error(
     "CSRF_COOKIE_SECRET must be set and be at least 8 alphanumerical character `export CSRF_COOKIE_SECRET=...`",
   )

diff --git a/src/pkg/sdk/index.ts b/src/pkg/sdk/index.ts
@@ -39,6 +39,9 @@ const sdk = {
   identity: new IdentityApi(
     new Configuration({
       basePath: apiBaseIdentityUrl,
+      ...(process.env.ORY_ADMIN_API_TOKEN && {
+        accessToken: process.env.ORY_ADMIN_API_TOKEN,
+      }),
     }),
   ),
 }