From 2c8954a44d2d16a27b00820e07cdc84d0c34b826 Mon Sep 17 00:00:00 2001 From: Antoine Moreaux Date: Mon, 20 Jan 2025 11:05:34 +0100 Subject: [PATCH] fix(session-storage): add typing and trust proxy setting (#9725) Added explicit typing for session storage options to improve type safety. Enabled 'trust proxy' to ensure proper client IP and protocol detection behind proxies. These changes improve security and reliability in session handling. --- .../session-storage/session-storage.module-factory.ts | 3 ++- packages/twenty-server/src/main.ts | 5 ++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/packages/twenty-server/src/engine/core-modules/session-storage/session-storage.module-factory.ts b/packages/twenty-server/src/engine/core-modules/session-storage/session-storage.module-factory.ts index e3022b8a4..a717b704c 100644 --- a/packages/twenty-server/src/engine/core-modules/session-storage/session-storage.module-factory.ts +++ b/packages/twenty-server/src/engine/core-modules/session-storage/session-storage.module-factory.ts @@ -14,10 +14,11 @@ export const getSessionStorageOptions = ( const SERVER_URL = environmentService.get('SERVER_URL'); - const sessionStorage = { + const sessionStorage: session.SessionOptions = { secret: environmentService.get('SESSION_STORE_SECRET'), resave: false, saveUninitialized: false, + proxy: true, cookie: { secure: !!(SERVER_URL && SERVER_URL.startsWith('https')), maxAge: 1000 * 60 * 30, // 30 minutes diff --git a/packages/twenty-server/src/main.ts b/packages/twenty-server/src/main.ts index 96ab5b390..90c189a9a 100644 --- a/packages/twenty-server/src/main.ts +++ b/packages/twenty-server/src/main.ts @@ -38,6 +38,8 @@ const bootstrap = async () => { const logger = app.get(LoggerService); const environmentService = app.get(EnvironmentService); + app.use(session(getSessionStorageOptions(environmentService))); + // TODO: Double check this as it's not working for now, it's going to be helpful for durable trees in twenty "orm" // // Apply context id strategy for durable trees // ContextIdFactory.apply(new AggregateByWorkspaceContextIdStrategy()); @@ -83,9 +85,6 @@ const bootstrap = async () => { // Inject the server url in the frontend page generateFrontConfig(); - // Enable session - Today it's used only for SSO - app.use(session(getSessionStorageOptions(environmentService))); - await app.listen(environmentService.get('PORT')); };