Merge branch 'secure-cookie' into stage

api/src/config/index.ts

@@ -13,15 +13,26 @@ export class SessionConfiguration {
   name: string;
   saveUninitialized: boolean;
   resave: boolean;
-  cookie: { secure: boolean; httpOnly: boolean; maxAge: number };
+  cookie: {
+    secure: boolean;
+    httpOnly: boolean;
+    maxAge: number,
+    sameSite: boolean
+  };
   store: any | undefined;
 
   constructor(secret: string | undefined, name: string | undefined) {
     this.secret = secret || 'big ole bunch of junk text';
     this.name = name || 'sess';
     this.resave = false;
     this.saveUninitialized = true;
-    this.cookie = { secure: false, httpOnly: true, maxAge: 60000 * 60 * 24 };
+    this.cookie = {
+      secure: true,
+      httpOnly: true,
+      maxAge: 60000 * 60 * 24,
+      // sameSite: true enables strict
+      sameSite: true
+    };
   }
 
   public setStore(store: any) {

docker-compose.yml

@@ -1,4 +1,24 @@
 services:
+  traefik:
+    image: traefik:v3.3
+    container_name: traefik
+    command:
+      - "--log.level=DEBUG"
+      # api.insecure opens up port 8080
+      - "--api.insecure=true"
+      - "--providers.docker=true"
+      - "--providers.docker.exposedbydefault=false"
+      - "--entrypoints.web.address=:80"
+      - "--entrypoints.websecure.address=:443"
+      - "--accesslog=true"
+      - "--providers.file.filename=/opt/traefik.yml"
+    ports:
+      - "4443:443"
+      - "8080:8080"
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock:ro"
+      - "${PWD}/localcert:/opt/cert:ro"
+      - "${PWD}/traefik.yml:/opt/traefik.yml:ro"
   api:
     container_name: api
     build:
@@ -20,7 +40,7 @@ services:
     depends_on:
       - db
   frontend:
-    container_name: FE
+    container_name: frontend
     stdin_open: true
     build:
       context: frontend
@@ -29,12 +49,19 @@ services:
       - REACT_APP_ENV=docker
       - CHOKIDAR_USEPOLLING=true
       - PORT=8000
+      # Disabling host checking is necessary for serving behind Traefik.
+      - DANGEROUSLY_DISABLE_HOST_CHECK=true
     ports:
       - 8000:8000
     expose:
       - 8000
     depends_on:
       - api
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.frontend.entrypoints=websecure"
+      - "traefik.http.routers.frontend.tls=true"
+      - "traefik.http.routers.frontend.rule=Host(`smeqa.local`)"
   db:
     container_name: db
     image: postgres

docs/localDevelopment.md

@@ -1,42 +1,84 @@
-# Local Development:
+# Local Development
+
+## Necessary Tools
 
 - jq
 - docker
+- [mkcert](https://github.com/FiloSottile/mkcert)
 
-### Useful tools
+## Useful tools
 
 - [React Dev Tools Chrome Extension](https://github.com/facebook/react)
 - [Redux Dev Tools Chrome Extension](https://github.com/reduxjs/redux-devtools)
 
-## Running Application
+## Running the Application
 
-### Local Development
+```sh
+docker compose up
+```
+This will start PostgreSQL, a frontend react server, and the backend API server.
 
 ```sh
-docker compose up # this will start postgres, a frontend react server, and the backend API server
-(cd ./api/agencyInfo/ && ./localHiringAction.sh) # this will populate your database wtih the basic demo application.
+docker compose up --build
 ```
+This will start everything after rebuilding our containers.
 
-<!-- Testing:
+### Populate Local Data
+The following command will populate your database wtih the basic demo application.
 
 ```sh
-docker compose run --rm api npm run test
-``` -->
+cd ./api/agencyInfo/ && ./localHiringAction.sh
+```
 
-Clean up:
+### Local SSL
+[docker-compose.yml](/docker-compose.yml) is configured to serve the application
+over HTTP on port `8080`. For example: [http://localhost:8000/](http://localhost:8000/).
+
+Because the session cookie is `Secure`, you wont get very far trying to use the
+application over HTTP. Fortunately, docker-compose.yaml is already configured to serve
+HTTPS over port `4443` using using [Traefik](https://traefik.io/), provided you have
+generated a local certificate and stored it in [localcert/](/localcert/).
+
+Use [mkcert](https://github.com/FiloSottile/mkcert) to generate a local certificate
+and key for use by Traefik.
+
+```bash
+mkcert -ecdsa -key-file domain.key -cert-file domain.crt smeqa.local "*.smeqa.local"
+```
+
+Store these generated files in the `localcert/` directory, located in the root of this
+repo.
+
+If you want your browser to accept this certificate without a big, annoying warning,
+you will need to add its root certificate to your OS. First, you may not have
+permission to do this on your device. Second, **this is risky if you do not understand
+the implications, so proceed with caution.**
 
 ```sh
-# This will remove _all_ volumes and containers
-docker volume rm $(docker volume ls -q) # Removes local docker volumes
-docker rm -f $(docker ps -aq) # Removes local docker containers
+mkcert -install
+```
+
+#### Local SSL Domain
+Per the instructions above, you've generated a certificate for the `smeqa.local` domain.
+Edit your `/etc/hosts` file such that this domain resolves to your local.
+
+```
+127.0.0.1       smeqa.local
 ```
 
+Now, you can access the application over HTTPS at
+[https://smeqa.local:4443](https://smeqa.local:4443).
+
+
 ### GitHub Codespace
-This repo is configured with a [.devcontainer](/.devcontainer) to allow you to do development
-and ops work from within a GitHub Codespace.
+This repo is configured with a [.devcontainer](/.devcontainer) to allow you to do
+development and ops work from within a GitHub Codespace.
+
+SSL termination with Traefik has not been tested in the Codespace environment. As
+of now this is left as an exercise for the reader.
 
 #### Signing Commits
-GitHub will refuse to recognize any other gpg key than the one that _it_ wants to sign with inside of
+GitHub will refuse to recognize any other GPG key than the one that _it_ wants to sign with inside of
 the Codespace, which it automatically sets up for you. At least, as far as I've been able to
 determine. If you want signed commits (i.e. if your branch protection rules require it), just
 click the checkbox to enable GPG signing in your GitHub Codespaces settings (the settings attached
@@ -45,3 +87,17 @@ automatically. It'll work out of the box and you don't need to do anything else
 
 Presumably this is handled automatically within VSCode as well if you want to use its GUI git
 tools, but I haven't tested this.
+
+<!-- Testing:
+
+```sh
+docker compose run --rm api npm run test
+``` -->
+
+Clean up:
+
+```sh
+# This will remove _all_ volumes and containers
+docker volume rm $(docker volume ls -q) # Removes local docker volumes
+docker rm -f $(docker ps -aq) # Removes local docker containers
+```

localcert/.gitignore

@@ -0,0 +1 @@
+*

traefik.yml

@@ -0,0 +1,4 @@
+tls:
+  certificates:
+    - certFile: ./opt/cert/domain.crt
+      keyFile: ./opt/cert/domain.key