fix: local access

src/server/config/configuration.ts

@@ -71,6 +71,7 @@ export type ClientConfig = {
 type ConfigType = {
   basePath: string;
   isProduction: boolean;
+  secureCookie: boolean;
   logJson: boolean;
   playground: boolean;
   logLevel: string;
@@ -186,6 +187,7 @@ export default (): ConfigType => {
     accountConfigPath: process.env.ACCOUNT_CONFIG_PATH || '',
     torProxy: process.env.TOR_PROXY_SERVER || '',
     isProduction,
+    secureCookie: process.env.SECURE_COOKIE === 'true',
     headers,
     throttler,
     sso,

src/server/main.ts

@@ -6,7 +6,16 @@ import { WINSTON_MODULE_NEST_PROVIDER } from 'nest-winston';
 async function bootstrap() {
   const app = await NestFactory.create(AppModule);
   app.useLogger(app.get(WINSTON_MODULE_NEST_PROVIDER));
-  app.use(helmet());
+  app.use(
+    helmet({
+      contentSecurityPolicy: {
+        directives: {
+          ...helmet.contentSecurityPolicy.getDefaultDirectives(),
+          'upgrade-insecure-requests': null,
+        },
+      },
+    })
+  );
   app.setGlobalPrefix(process.env.BASE_PATH || '');
 
   await app.listen(process.env.PORT || 3001, process.env.HOST);

src/server/modules/api/amboss/amboss.resolver.ts

@@ -77,7 +77,7 @@ export class AmbossResolver {
         if (ambossAuth) return ambossAuth;
 
         const jwt = await this.ambossService.getAmbossJWT(user.id);
-        const isProduction = this.configService.get('isProduction');
+        const secureCookie = this.configService.get('secureCookie');
 
         res.setHeader(
           'Set-Cookie',
@@ -86,7 +86,7 @@ export class AmbossResolver {
             httpOnly: true,
             sameSite: true,
             path: '/',
-            secure: isProduction,
+            secure: secureCookie,
           })
         );
 
@@ -293,7 +293,7 @@ export class AmbossResolver {
     @CurrentUser() user: UserId
   ) {
     const jwt = await this.ambossService.getAmbossJWT(user.id);
-    const isProduction = this.configService.get('isProduction');
+    const secureCookie = this.configService.get('secureCookie');
 
     res.setHeader(
       'Set-Cookie',
@@ -302,7 +302,7 @@ export class AmbossResolver {
         httpOnly: true,
         sameSite: true,
         path: '/',
-        secure: isProduction,
+        secure: secureCookie,
       })
     );
 

src/server/modules/api/auth/auth.resolver.ts

@@ -153,6 +153,7 @@ export class AuthResolver {
     const dangerousNoSSOAuth = this.configService.get('sso.dangerousNoSSOAuth');
     const cookiePath = this.configService.get('cookiePath');
     const isProduction = this.configService.get('isProduction');
+    const secureCookie = this.configService.get('secureCookie');
 
     const ssoAccount = this.accountsService.getAccount('sso');
 
@@ -213,7 +214,7 @@ export class AuthResolver {
           httpOnly: true,
           sameSite: true,
           path: '/',
-          secure: isProduction,
+          secure: secureCookie,
         })
       );
       return true;
@@ -240,6 +241,7 @@ export class AuthResolver {
     }
 
     const isProduction = this.configService.get('isProduction');
+    const secureCookie = this.configService.get('secureCookie');
     const disable2FA = this.configService.get('disable2FA');
 
     if (account.encrypted) {
@@ -309,15 +311,15 @@ export class AuthResolver {
         httpOnly: true,
         sameSite: true,
         path: '/',
-        secure: isProduction,
+        secure: secureCookie,
       })
     );
     return info?.['version'] || ''; // TODO: Remove unsafe casting when GetWalletInfo type is updated
   }
 
   @Mutation(() => Boolean)
   async logout(@Context() { res }: ContextType) {
-    const isProduction = this.configService.get('isProduction');
+    const secureCookie = this.configService.get('secureCookie');
     const cookies = [];
 
     for (const cookieName in appConstants) {
@@ -330,7 +332,7 @@ export class AuthResolver {
             httpOnly: true,
             sameSite: true,
             path: '/',
-            secure: isProduction,
+            secure: secureCookie,
           })
         );
       }