feat: Additional httpOnly token for enhanced security in browsers

server/api/helpers/utils/clear-http-only-token-cookie.js

@@ -0,0 +1,16 @@
+module.exports = {
+  sync: true,
+
+  inputs: {
+    response: {
+      type: 'ref',
+      required: true,
+    },
+  },
+
+  fn(inputs) {
+    inputs.response.clearCookie('httpOnlyToken', {
+      path: sails.config.custom.baseUrlPath,
+    });
+  },
+};

server/api/helpers/utils/create-jwt-token.js

@@ -16,18 +16,23 @@ module.exports = {
 
   fn(inputs) {
     const { issuedAt = new Date() } = inputs;
-    const iat = Math.floor(issuedAt / 1000);
 
-    return jwt.sign(
-      {
-        iat,
-        sub: inputs.subject,
-        exp: iat + sails.config.custom.tokenExpiresIn * 24 * 60 * 60,
-      },
-      sails.config.session.secret,
-      {
-        keyid: uuid(),
-      },
-    );
+    const iat = Math.floor(issuedAt / 1000);
+    const exp = iat + sails.config.custom.tokenExpiresIn * 24 * 60 * 60;
+
+    const payload = {
+      iat,
+      exp,
+      sub: inputs.subject,
+    };
+
+    const token = jwt.sign(payload, sails.config.session.secret, {
+      keyid: uuid(),
+    });
+
+    return {
+      token,
+      payload,
+    };
   },
 };

server/api/helpers/utils/set-http-only-token-cookie.js

@@ -0,0 +1,28 @@
+module.exports = {
+  sync: true,
+
+  inputs: {
+    value: {
+      type: 'string',
+      required: true,
+    },
+    accessTokenPayload: {
+      type: 'json',
+      required: true,
+    },
+    response: {
+      type: 'ref',
+      required: true,
+    },
+  },
+
+  fn(inputs) {
+    inputs.response.cookie('httpOnlyToken', inputs.value, {
+      expires: new Date(inputs.accessTokenPayload.exp * 1000),
+      path: sails.config.custom.baseUrlPath,
+      secure: sails.config.custom.baseUrlSecure,
+      httpOnly: true,
+      sameSite: 'strict',
+    });
+  },
+};