Skip to content

feat: fix the problem in the Operator Market frontend pages#203

Merged
o0Shark0o merged 1 commit intomainfrom
feat/operatormarket-debug
Dec 29, 2025
Merged

feat: fix the problem in the Operator Market frontend pages#203
o0Shark0o merged 1 commit intomainfrom
feat/operatormarket-debug

Conversation

@o0Shark0o
Copy link
Copy Markdown
Contributor

@o0Shark0o o0Shark0o commented Dec 29, 2025

No description provided.

github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 29, 2025
View reviewed changes
frontend/src/mock/mock-core/session-helper.cjs
Comment on lines +40 to +56
return session({
name: "demo.name",
secret: "demo.secret",
resave: true,
saveUninitialized: true,
cookie: {
maxAge: 60 * 60 * 1e3,
expires: new Date(Date.now() + 60 * 60 * 1e3),
}, // 1 hour
store: new FileStore({
path: path.join(__dirname, "../sessions"),
retries: 0,
keyFunction: (secret, sessionId) => {
return secret + sessionId;
},
}),
});

Check warning

Code scanning / CodeQL

Clear text transmission of sensitive cookie Medium

Sensitive cookie sent without enforcing SSL encryption.

Copilot Autofix

AI 3 months ago

In general, the problem is that the session cookie is created without the secure flag, meaning browsers will send it over plain HTTP as well as HTTPS. For sensitive session data, the cookie should be marked secure so it is only transmitted over HTTPS. Because this helper already determines an environment (isDev), the best fix is to explicitly set cookie.secure based on that flag: true in non‑development (production) and false in development, preserving existing behavior locally while enforcing SSL where it matters.

Concretely, in frontend/src/mock/mock-core/session-helper.cjs, in the genExpressSession function, update the cookie object (lines 45–48) to include a secure property that is !isDev. That will use a secure cookie outside development. No new imports are required; we reuse the existing isDev constant defined at lines 8–10. No other functionality changes: the cookie name, secret, maxAge, expires, and store configuration remain the same.

Suggested changeset 1
frontend/src/mock/mock-core/session-helper.cjs

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/frontend/src/mock/mock-core/session-helper.cjs b/frontend/src/mock/mock-core/session-helper.cjs
--- a/frontend/src/mock/mock-core/session-helper.cjs
+++ b/frontend/src/mock/mock-core/session-helper.cjs
@@ -45,6 +45,7 @@
     cookie: {
       maxAge: 60 * 60 * 1e3,
       expires: new Date(Date.now() + 60 * 60 * 1e3),
+      secure: !isDev,
     }, // 1 hour
     store: new FileStore({
       path: path.join(__dirname, "../sessions"),
EOF
@@ -45,6 +45,7 @@
cookie: {
maxAge: 60 * 60 * 1e3,
expires: new Date(Date.now() + 60 * 60 * 1e3),
secure: !isDev,
}, // 1 hour
store: new FileStore({
path: path.join(__dirname, "../sessions"),
Copilot is powered by AI and may make mistakes. Always verify output.
@o0Shark0o o0Shark0o merged commit 8f30f71 into main Dec 29, 2025
8 checks passed
@o0Shark0o o0Shark0o mentioned this pull request Dec 29, 2025
Merged
o0Shark0o added a commit that referenced this pull request Dec 29, 2025
@o0Shark0o
Revert "feat: fix the problem in the Operator Market frontend pages" (#…
081abf7 
…204)

Reverts #203
@o0Shark0o o0Shark0o deleted the feat/operatormarket-debug branch December 29, 2025 06:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@o0Shark0o @github-advanced-security