Conversation
| ## Prerequisites | ||
|
|
||
| 1. [Node.js](https://nodejs.org) | ||
| 2. Create an Web PubSub For Socket.IO resource |
There was a problem hiding this comment.
| 2. Create an Web PubSub For Socket.IO resource | |
| 2. Create an Web PubSub For Socket.IO resource |
| Linux: | ||
|
|
||
| ```bash | ||
| export WebPubSubConnectionString="<connection_string>" |
There was a problem hiding this comment.
how about using dotenv package for env reading?
| @@ -0,0 +1,44 @@ | |||
| # Create a chat app with Web PubSub for Socket.IO And GitHub OAuth | |||
|
|
|||
| ## Prerequisites | |||
There was a problem hiding this comment.
is this chat app with GitHub OAuth referencing any tutorial? Do you want to mention what are the lines updated specifically for Web PubSub?
Removed pull_request_target trigger for workflows.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| const app = express(); | ||
| const server = require("http").createServer(app); | ||
| const store = new session.MemoryStore(); | ||
| const sessionMiddleware = session({ store: store, secret: "changeit", resave: false, saveUninitialized: false }); |
Check warning
Code scanning / CodeQL
Clear text transmission of sensitive cookie Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
To correct the issue, set the cookie.secure property to true in the session middleware options. This enforces that the session cookie will only be sent over HTTPS, protecting it from being intercepted in cleartext. The safest fix is to add a cookie object to the session config (if it’s not already present) and set secure: true within it.
However, for development environments running over plain HTTP, using cookie.secure: true can break authentication because cookies will only be sent over HTTPS. A common pattern is to set cookie.secure conditionally: using true in production, and false during development. But since the CodeQL issue is about cleartext transmission and best-practice code, and unless we've been shown an explicit dev/prod check in the provided code region, defaulting to true is the secure choice for this fix.
Therefore, update the options passed to session() on line 12 of sdk/webpubsub-socketio-extension/examples/chat-with-auth-github/index.js by adding cookie: { secure: true }.
No additional imports or methods are required.
| @@ -9,7 +9,7 @@ | ||
| const app = express(); | ||
| const server = require("http").createServer(app); | ||
| const store = new session.MemoryStore(); | ||
| const sessionMiddleware = session({ store: store, secret: "changeit", resave: false, saveUninitialized: false }); | ||
| const sessionMiddleware = session({ store: store, secret: "changeit", resave: false, saveUninitialized: false, cookie: { secure: true } }); | ||
|
|
||
| app.use(sessionMiddleware); | ||
| app.use(bodyParser.urlencoded({ extended: false })); |
| document.querySelector('.usernameInput').value = names[idx]; | ||
| </script> | ||
| --> | ||
| <script src="https://code.jquery.com/jquery-1.10.2.min.js"></script> |
Check warning
Code scanning / CodeQL
Inclusion of functionality from an untrusted source Medium
2 participants
No description provided.