From 2984d58e2d0c04a5801ba0458f03c05fc1b8199a Mon Sep 17 00:00:00 2001
From: Jesse Chan <jc@linux.com>
Date: Thu, 27 Aug 2020 19:40:43 +0800
Subject: [PATCH] server: auth: strictly prohibit cross-site cookie

Flood instances are not going to be linked from another site.

This prevents Cross-Site Request Forgery attacks which exploits
cached authentication token in cookie.
---
 server/routes/auth.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/routes/auth.js b/server/routes/auth.js
index 14a39bcf..2f628a02 100644
--- a/server/routes/auth.js
+++ b/server/routes/auth.js
@@ -22,7 +22,7 @@ const setAuthToken = (res, username, isAdmin) => {
     expiresIn: expirationSeconds,
   });
 
-  res.cookie('jwt', token, {expires: new Date(cookieExpiration), httpOnly: true});
+  res.cookie('jwt', token, {expires: new Date(cookieExpiration), httpOnly: true, sameSite: 'Strict'});
 
   return res.json({
     success: true,