From a90203f256054ae9660b7444d2a61a1897967d8d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Joakim=20S=C3=B8rensen?= <joasoe@gmail.com>
Date: Mon, 24 Aug 2020 14:21:57 +0200
Subject: [PATCH] Use secure cookie if https (#6644)

---
 src/data/hassio/supervisor.ts            |  6 ++-
 test-mocha/hassio/create_session.spec.ts | 57 ++++++++++++++++++++++++
 2 files changed, 62 insertions(+), 1 deletion(-)
 create mode 100644 test-mocha/hassio/create_session.spec.ts

diff --git a/src/data/hassio/supervisor.ts b/src/data/hassio/supervisor.ts
index f6a7d2811c..aaf854ac81 100644
--- a/src/data/hassio/supervisor.ts
+++ b/src/data/hassio/supervisor.ts
@@ -71,7 +71,11 @@ export const createHassioSession = async (hass: HomeAssistant) => {
     "POST",
     "hassio/ingress/session"
   );
-  document.cookie = `ingress_session=${response.data.session};path=/api/hassio_ingress/;SameSite=Strict`;
+  document.cookie = `ingress_session=${
+    response.data.session
+  };path=/api/hassio_ingress/;SameSite=Strict${
+    location.protocol === "https:" ? ";Secure" : ""
+  }`;
 };
 
 export const setSupervisorOption = async (
diff --git a/test-mocha/hassio/create_session.spec.ts b/test-mocha/hassio/create_session.spec.ts
new file mode 100644
index 0000000000..79bf728ea7
--- /dev/null
+++ b/test-mocha/hassio/create_session.spec.ts
@@ -0,0 +1,57 @@
+import * as assert from "assert";
+import { createHassioSession } from "../../src/data/hassio/supervisor";
+
+const sessionID = "fhdsu73rh3io4h8f3irhjel8ousafehf8f3yh";
+
+describe("Create hassio session", function () {
+  it("Test create session without HTTPS", async function () {
+    // @ts-ignore
+    global.document = {};
+    // @ts-ignore
+    global.location = {};
+    await createHassioSession({
+      // @ts-ignore
+      callApi: async function () {
+        return { data: { session: sessionID } };
+      },
+    });
+    assert.equal(
+      // @ts-ignore
+      global.document.cookie,
+      "ingress_session=fhdsu73rh3io4h8f3irhjel8ousafehf8f3yh;path=/api/hassio_ingress/;SameSite=Strict"
+    );
+  });
+  it("Test create session with HTTPS", async function () {
+    // @ts-ignore
+    global.document = {};
+    // @ts-ignore
+    global.location = { protocol: "https:" };
+    await createHassioSession({
+      // @ts-ignore
+      callApi: async function () {
+        return { data: { session: sessionID } };
+      },
+    });
+    assert.equal(
+      // @ts-ignore
+      global.document.cookie,
+      "ingress_session=fhdsu73rh3io4h8f3irhjel8ousafehf8f3yh;path=/api/hassio_ingress/;SameSite=Strict;Secure"
+    );
+
+    // Clean up in case they will be used in other tests
+    // @ts-ignore
+    global.document = {};
+    // @ts-ignore
+    global.location = {};
+  });
+  it("Test fail to create", async function () {
+    const createSessionPromise = createHassioSession({
+      // @ts-ignore
+      callApi: async function () {},
+    }).then(
+      () => true,
+      () => false
+    );
+    assert.equal(await createSessionPromise, false);
+  });
+});