chore: Use httpOnly authentication cookie (#5552)

server/utils/authentication.ts

@@ -118,9 +118,8 @@ export async function signIn(
       );
     }
   } else {
-    ctx.cookies.set("accessToken", user.getJwtToken(), {
+    ctx.cookies.set("accessToken", user.getJwtToken(expires), {
       sameSite: "lax",
-      httpOnly: false,
       expires,
     });
 

server/utils/jwt.ts

@@ -20,10 +20,13 @@ function getJWTPayload(token: string) {
   }
 }
 
-export async function getUserForJWT(token: string): Promise<User> {
+export async function getUserForJWT(
+  token: string,
+  allowedTypes = ["session", "transfer"]
+): Promise<User> {
   const payload = getJWTPayload(token);
 
-  if (payload.type === "email-signin") {
+  if (!allowedTypes.includes(payload.type)) {
     throw AuthenticationError("Invalid token");
   }
 

server/utils/passport.ts

@@ -27,7 +27,6 @@ export class StateStore {
     const state = buildState(host, token, client);
 
     ctx.cookies.set(this.key, state, {
-      httpOnly: false,
       expires: addMinutes(new Date(), 10),
       domain: getCookieDomain(ctx.hostname),
     });
@@ -54,7 +53,6 @@ export class StateStore {
 
     // Destroy the one-time pad token and ensure it matches
     ctx.cookies.set(this.key, "", {
-      httpOnly: false,
       expires: subMinutes(new Date(), 1),
       domain: getCookieDomain(ctx.hostname),
     });