[CORL-996] Force SSL Configuration (#2917)

* fix: added new FORCE_SSL config, reverted production SSL handling

* fix: added another test to handle purify testing

src/core/common/utils/__snapshots__/purify.spec.ts.snap

@@ -16,6 +16,13 @@ exports[`allows anchor tags and counts them correctly 1`] = `
   "
 `;
 
+exports[`allows mailto links 1`] = `
+Object {
+  "body": "<a href=\\"mailto:email@example.com\\" target=\\"_blank\\" rel=\\"noopener noreferrer\\">email@example.com</a>",
+  "linkCount": 1,
+}
+`;
+
 exports[`sanitizes out attributes not allowed 1`] = `
 Object {
   "body": "<div>Test</div>",

src/core/common/utils/purify.spec.ts

@@ -33,6 +33,15 @@ it("allows anchor links", () => {
   ).toMatchSnapshot();
 });
 
+it("allows mailto links", () => {
+  expect(
+    sanitizeCommentBody(
+      DOMPurify,
+      '<a href="mailto:email@example.com">email@example.com</a>'
+    )
+  ).toMatchSnapshot();
+});
+
 it("allows anchor tags and counts them correctly", () => {
   const { body, linkCount } = sanitizeCommentBody(
     DOMPurify,

src/core/server/app/index.ts

@@ -147,22 +147,28 @@ function configureApplication(options: AppOptions) {
 function configureApplicationHTTPS(options: AppOptions) {
   const { parent, config } = options;
 
+  const log = logger.child(
+    { env: config.get("env"), forceSSL: config.get("force_ssl") },
+    true
+  );
+
   // If we're in production mode, configure some production security settings.
   if (config.get("env") === "production") {
-    if (config.get("disable_force_ssl")) {
-      logger.warn(
-        "SSL enforcement has been disabled in production, this should not be used except for testing"
-      );
-    } else {
+    if (config.get("force_ssl")) {
       // Coral in production requires SSL, so we'll send the HSTS headers here as
       // well as force the use of HTTPS with a 301 redirect.
       parent.use(
         hsts({
-          // We don't want to break existing other services that run with SSL.
+          // We don't want to break existing other services that don't run with
+          // SSL.
           includeSubDomains: false,
         })
       );
       parent.use(enforceHTTPSMiddleware());
+    } else {
+      log.warn(
+        "FORCE_SSL=true should be set when a SSL terminating proxy has been configured"
+      );
     }
   }
 }

src/core/server/config.ts

@@ -269,13 +269,13 @@ const config = convict({
     env: "PERSPECTIVE_TIMEOUT",
     arg: "perspectiveTimeout",
   },
-  disable_force_ssl: {
+  force_ssl: {
     doc:
-      "Disables forcing SSL in production environments. Should not be used except for testing.",
+      "Forces SSL in production by redirecting all HTTP requests to HTTPS, and sending HSTS headers.",
     format: Boolean,
     default: false,
-    env: "DISABLE_FORCE_SSL",
-    arg: "disableForceSSL",
+    env: "FORCE_SSL",
+    arg: "forceSSL",
   },
 });