From c2c6a1d352de501aa7c8525f83a855fe33ec6c1f Mon Sep 17 00:00:00 2001
From: Nathan Walters <nwalters512@gmail.com>
Date: Wed, 1 May 2019 13:10:04 -0500
Subject: [PATCH] Trust information from the Apache proxy (#284)

* Trust information from the proxy

* Add changelog entry

* Re-add cookie on every request
---
 CHANGELOG.md               | 1 +
 src/app.js                 | 4 ++++
 src/middleware/authnJwt.js | 9 ++++++++-
 3 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9a0f21af..3b4ced9f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,6 +9,7 @@ with the current semantic version and the next changes should go under a **[Next
 
 * Refine dark mode: better styles, new Bootstrap colors, and a custom select component. ([@nwalters512](https://github.com/nwalters512) in [#279](https://github.com/illinois/queue/pull/279))
 * Add TypeScript support to all build tooling; add some basic types to existing code. ([@nwalters512](https://github.com/nwalters512) in [#281](https://github.com/illinois/queue/pull/281))
+* Configure Express to know that we're running behind a proxy. ([@nwalters512](https://github.com/nwalters512) in [#284](https://github.com/illinois/queue/pull/284))
 
 ## v1.2.0
 
diff --git a/src/app.js b/src/app.js
index d3b94341..f0aa0a50 100644
--- a/src/app.js
+++ b/src/app.js
@@ -7,6 +7,10 @@ const rewrite = require('express-urlrewrite')
 const { logger } = require('./util/logger')
 const { baseUrl, isDev, isNow } = require('./util')
 
+// We're probably running behind a proxy - trust them and derive information
+// from the X-Forwarded-* headers: https://expressjs.com/en/guide/behind-proxies.html
+app.set('trust proxy', 'loopback')
+
 app.use(cookieParser())
 app.use(bodyParser.json())
 app.use(bodyParser.urlencoded({ extended: false }))
diff --git a/src/middleware/authnJwt.js b/src/middleware/authnJwt.js
index 66d78139..5b7d7d98 100644
--- a/src/middleware/authnJwt.js
+++ b/src/middleware/authnJwt.js
@@ -1,6 +1,6 @@
 const { ApiError } = require('../api/util')
 const safeAsync = require('../middleware/safeAsync')
-const { getUserFromJwt } = require('../auth/util')
+const { getUserFromJwt, addJwtCookie } = require('../auth/util')
 
 module.exports = safeAsync(async (req, res, next) => {
   if (res.locals.userAuthn) {
@@ -23,6 +23,13 @@ module.exports = safeAsync(async (req, res, next) => {
     return
   }
 
+  // This was done as a part of https://github.com/illinois/queue/pull/284 to
+  // quickly validate that our fix was working; otherwise we'd have to wait a
+  // month before seeing results since that's the maximum length of time that
+  // any old, non-secure cookies would last. This can probably be safely removed
+  // a month after that PR was deployed.
+  addJwtCookie(req, res, user)
+
   res.locals.userAuthn = user
   next()
 })