Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix(autoLogoutIssue): failing whoami (#1196)
## Problem There was an issue with #1183 due to the removal of the `trust proxy` setting in express. There are two packages that rely on express apis, `express-rate-limit` and `express-session`. due to changes in the way we used `express-rate-limit`, I thought that this setting can be removed, and this was only done with the intention of a cleanup and does not affect the functionality of how we are currently using `express-rate-limit`. The [documentation](https://github.com/expressjs/session?tab=readme-ov-file#cookiesecure) for `express-session` also states that: > If secure is set, and you access your site over HTTP, the cookie will not be set. If you have your node.js behind a proxy and are using secure: true, you need to set "trust proxy" in express Checking in with the vapt folks to sense check this fix as well ## Solution add back trust proxy **Breaking Changes** <!-- Does this PR contain any backward incompatible changes? If so, what are they and should there be special considerations for release? --> - [ ] Yes - this PR contains breaking changes - Details ... - [X] No - this PR is backwards compatible with ALL of the following feature flags in this [doc](https://www.notion.so/opengov/Existing-feature-flags-518ad2cdc325420893a105e88c432be5) # Note: This test will take a while, and requires at worse 15 mins to conduct ## Tests - [ ] create a file called ddos.js ``` const stg = "https://staging-cms-api.isomer.gov.sg/v2/auth/verify" async function send() { try { const resp = await fetch(stg, { method: "POST", body: JSON.stringify({ email: "[email protected]", otp: "111111", }), headers: { "Content-Type": "application/json", "X-Forwarded-For": generateRandomIp(), }, }) const text = await resp.text() console.log(text) console.log({ Limit: resp.headers.get("Ratelimit-Limit"), Remaining: resp.headers.get("Ratelimit-Remaining"), Reset: resp.headers.get("Ratelimit-Reset"), }) } catch (err) { console.log(err.message) } } for (let i = 1; i <= 25; i++) { send() } ``` - [ ] connect to ogp vpn - [ ] run `node ddos.js` - [ ] assert that the remaining counter fell from 100  - [ ] note the reset time (this is the window time, and by extension the amount of time to wait for this test) - [ ] unconnect from vpn - [ ] run `node ddos.js` - [ ] assert that the remaining counter fell from 100  - [ ] After the reset time is achieved, do above steps again and verify that after the reset time, the counters for both the simulated user resets. 
- Loading branch information
1 parent
a7284e5
commit b09fd23