fixes #2151, apply secure cookie session only if using SSL (https)

apps/server/src/auth/utils/cookie.ts

@@ -1,4 +1,4 @@
-import { CookieOptions } from "express";
+import type { CookieOptions } from "express";
 
 export const getCookieOptions = (grantType: "access" | "refresh"): CookieOptions => {
   // Options For Access Token

apps/server/src/main.ts

@@ -1,7 +1,7 @@
 import { Logger } from "@nestjs/common";
 import { ConfigService } from "@nestjs/config";
 import { NestFactory } from "@nestjs/core";
-import { NestExpressApplication } from "@nestjs/platform-express";
+import type { NestExpressApplication } from "@nestjs/platform-express";
 import { DocumentBuilder, SwaggerModule } from "@nestjs/swagger";
 import cookieParser from "cookie-parser";
 import session from "express-session";
@@ -9,7 +9,7 @@ import helmet from "helmet";
 import { patchNestJsSwagger } from "nestjs-zod";
 
 import { AppModule } from "./app.module";
-import { Config } from "./config/schema";
+import type { Config } from "./config/schema";
 
 patchNestJsSwagger();
 
@@ -17,8 +17,13 @@ async function bootstrap() {
   const app = await NestFactory.create<NestExpressApplication>(AppModule, {
     logger: process.env.NODE_ENV === "development" ? ["debug"] : ["error", "warn", "log"],
   });
+
   const configService = app.get(ConfigService<Config>);
 
+  const accessTokenSecret = configService.getOrThrow("ACCESS_TOKEN_SECRET");
+  const publicUrl = configService.getOrThrow("PUBLIC_URL");
+  const isHTTPS = publicUrl.startsWith("https://") ?? false;
+
   // Cookie Parser
   app.use(cookieParser());
 
@@ -27,21 +32,16 @@ async function bootstrap() {
     session({
       resave: false,
       saveUninitialized: false,
-      secret: configService.getOrThrow("ACCESS_TOKEN_SECRET"),
-      cookie: { httpOnly: true, secure: process.env.NODE_ENV === "production" },
+      secret: accessTokenSecret,
+      cookie: { httpOnly: true, secure: isHTTPS },
     }),
   );
 
   // CORS
-  app.enableCors({
-    credentials: true,
-    origin: process.env.NODE_ENV === "production",
-  });
+  app.enableCors({ credentials: true, origin: isHTTPS });
 
   // Helmet - enabled only in production
-  if (process.env.NODE_ENV === "production") {
-    app.use(helmet({ contentSecurityPolicy: false }));
-  }
+  if (isHTTPS) app.use(helmet({ contentSecurityPolicy: false }));
 
   // Global Prefix
   const globalPrefix = "api";

apps/server/src/resume/decorators/resume.decorator.ts

@@ -1,5 +1,6 @@
-import { createParamDecorator, ExecutionContext } from "@nestjs/common";
-import { ResumeDto } from "@reactive-resume/dto";
+import type { ExecutionContext } from "@nestjs/common";
+import { createParamDecorator } from "@nestjs/common";
+import type { ResumeDto } from "@reactive-resume/dto";
 
 export const Resume = createParamDecorator(
   (data: keyof ResumeDto | undefined, ctx: ExecutionContext) => {

apps/server/src/types/express.d.ts

@@ -1,4 +1,4 @@
-import { Resume, User as PrismaUser } from "@prisma/client";
+import type { Resume, User as PrismaUser } from "@prisma/client";
 
 declare global {
   namespace Express {

apps/server/src/user/decorators/user.decorator.ts

@@ -1,5 +1,6 @@
-import { createParamDecorator, ExecutionContext } from "@nestjs/common";
-import { UserWithSecrets } from "@reactive-resume/dto";
+import type { ExecutionContext } from "@nestjs/common";
+import { createParamDecorator } from "@nestjs/common";
+import type { UserWithSecrets } from "@reactive-resume/dto";
 
 export const User = createParamDecorator(
   (data: keyof UserWithSecrets | undefined, ctx: ExecutionContext) => {