Potential fix for code scanning alert no. 51: Clear text transmission of sensitive cookie

[christopherholland-workday]

Potential fix for https://github.com/FlowiseAI/Flowise/security/code-scanning/51

To fix the problem, the session cookie must always be marked as secure in any environment where it can contain sensitive information. The safest approach is to (a) default to secure: true, (b) only allow overriding to false in clearly demarcated non-production / development scenarios, and (c) optionally rely on trust proxy plus cookie.secure: 'auto' if the app runs behind HTTPS-terminating proxies. Since we can only edit the shown snippet, we should tighten the secureCookie logic so that in production-like environments it is always true and cannot be disabled by misconfiguration.

The single best minimal-change fix here is to compute secureCookie such that it is true whenever NODE_ENV === 'production' (or when APP_URL is HTTPS), and only allow secure: false explicitly in non-production settings. We keep the existing env-based configurability but guard the insecure option with NODE_ENV !== 'production'. Concretely, we will modify the secureCookie constant defined at lines 38–45 to:

• Default to true when NODE_ENV === 'production'.
• Otherwise, respect SECURE_COOKIES if explicitly set, or fall back to checking APP_URL for HTTPS, or finally false for dev without HTTPS.

This does not require changes elsewhere because options.cookie.secure already uses secureCookie. No new methods are needed; only the expression for secureCookie needs to be updated in packages/server/src/enterprise/middleware/passport/index.ts.

Based on this line of code, this appears the proper way to check if it's running in production:

Flowise/packages/ui/src/serviceWorker.js

Line 90 in 3201257

if (process.env.NODE_ENV === 'production' && 'serviceWorker' in navigator) {

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[gemini-code-assist]

Summary of Changes

Hello @christopherholland-workday, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request implements a critical security enhancement by modifying the session cookie configuration to ensure that cookies are always marked as 'secure' in production environments. This change directly addresses a code scanning alert related to clear-text transmission of sensitive data, thereby preventing potential vulnerabilities and aligning with best practices for web application security.

Highlights

• Enhanced Cookie Security: Modified the secureCookie logic to enforce secure: true in production environments, preventing clear-text transmission of sensitive session data.
• Production Environment Default: The secureCookie setting now defaults to true when NODE_ENV is 'production', overriding explicit SECURE_COOKIES=false settings in production to bolster security.

Changelog

• packages/server/src/enterprise/middleware/passport/index.ts
  • Updated the secureCookie constant to prioritize secure: true when NODE_ENV is 'production', otherwise falling back to the SECURE_COOKIES environment variable or APP_URL checks.

Activity

• No specific activity (comments, reviews, progress) was provided in the context.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request addresses a code scanning alert by ensuring session cookies are always marked as secure in production environments. The logic change is correct and effectively mitigates the risk of clear-text transmission of sensitive cookie data. I have added one comment with a suggestion to refactor the implementation for improved readability and maintainability.