From dc765b3719e35b9711e81c9666a2fe6c1fc2b9e0 Mon Sep 17 00:00:00 2001
From: Tsu-ba-me <ynho.li.aa.e@gmail.com>
Date: Fri, 28 Apr 2023 19:54:31 -0400
Subject: [PATCH] fix(striker-ui-api): set session cookie options

* Set 'secure' because we don't have a certificate yet
* Set 'httpOnly' to avoid exposing the cookie in 'document'
---
 striker-ui-api/src/session.ts | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/striker-ui-api/src/session.ts b/striker-ui-api/src/session.ts
index 1d9b1133..d127889c 100644
--- a/striker-ui-api/src/session.ts
+++ b/striker-ui-api/src/session.ts
@@ -182,7 +182,11 @@ export class SessionStore extends BaseSessionStore {
 
 export default (async () =>
   expressSession({
-    cookie: { maxAge: DEFAULT_COOKIE_ORIGINAL_MAX_AGE },
+    cookie: {
+      httpOnly: true,
+      maxAge: DEFAULT_COOKIE_ORIGINAL_MAX_AGE,
+      secure: false,
+    },
     genid: ({ path }) => {
       const sid = uuid();