lib/secure_cookies.rb from 18F/identity-idp

lib/secure_cookies.rb

Summary

Maintainability

0 mins

Test Coverage

100%

Issues
Source
Stats

Issues

# frozen_string_literal: true
 
# Reimplements SecureHeaders secure cookie functionality to make sure all cookies are secure
class SecureCookies
  SECURE_REGEX = /; Secure/i
  HTTP_ONLY_REGEX = /; HttpOnly/i
  SAME_SITE_REGEX = /; SameSite/i
 
  def initialize(app)
    @app = app
  end
 
  def call(env)
    status, headers, body = @app.call(env)
    cookies = headers[Rack::SET_COOKIE]
    if cookies
      cookies = Array(cookies).map do |cookie|
        cookie << '; Secure' if env['HTTPS'] == 'on' && !cookie.match?(SECURE_REGEX)
        cookie << '; HttpOnly' if !cookie.match?(HTTP_ONLY_REGEX)
        cookie << '; SameSite=Lax' if !cookie.match?(SAME_SITE_REGEX)
 
        cookie
      end
 
      headers[Rack::SET_COOKIE] = cookies
    end
 
    [status, headers, body]
  end
end