feat(security): add cookie samesite & security settings (#1517)

.env

@@ -6,6 +6,8 @@ MONGODB_DB_NAME=chat-ui
 MONGODB_DIRECT_CONNECTION=false
 
 COOKIE_NAME=hf-chat
+COOKIE_SAMESITE=
+COOKIE_SECURE=
 TRUSTED_EMAIL_HEADER= # only set this if you understand the implications
 
 HF_TOKEN=#hf_<token> from https://huggingface.co/settings/token

chart/env/prod.yaml

@@ -32,6 +32,8 @@ envVars:
   APP_BASE: "/chat"
   ALLOW_IFRAME: "false"
   COMMUNITY_TOOLS: "true"
+  COOKIE_SAMESITE: "strict"
+  COOKIE_SECURE: "true"
   ENABLE_ASSISTANTS: "true"
   ENABLE_ASSISTANTS_RAG: "true"
   EXPOSE_API: "true"

src/lib/server/auth.ts

@@ -47,12 +47,22 @@ export const OIDConfig = z
 
 export const requiresUser = !!OIDConfig.CLIENT_ID && !!OIDConfig.CLIENT_SECRET;
 
+const sameSite = z
+	.enum(["lax", "none", "strict"])
+	.default(dev || env.ALLOW_INSECURE_COOKIES === "true" ? "lax" : "none")
+	.parse(env.COOKIE_SAMESITE === "" ? undefined : env.COOKIE_SAMESITE);
+
+const secure = z
+	.boolean()
+	.default(!(dev || env.ALLOW_INSECURE_COOKIES === "true"))
+	.parse(env.COOKIE_SECURE === "" ? undefined : env.COOKIE_SECURE === "true");
+
 export function refreshSessionCookie(cookies: Cookies, sessionId: string) {
 	cookies.set(env.COOKIE_NAME, sessionId, {
 		path: "/",
 		// So that it works inside the space's iframe
-		sameSite: dev || env.ALLOW_INSECURE_COOKIES === "true" ? "lax" : "none",
-		secure: !dev && !(env.ALLOW_INSECURE_COOKIES === "true"),
+		sameSite,
+		secure,
 		httpOnly: true,
 		expires: addWeeks(new Date(), 2),
 	});