Skip to content

Commit

Permalink
feat(dbAuth): Lax SameSite cookie policy (redwoodjs#11889)
Browse files Browse the repository at this point in the history
  • Loading branch information
Tobbe authored Jan 9, 2025
1 parent f66ca2e commit 0498299
Show file tree
Hide file tree
Showing 14 changed files with 22 additions and 18 deletions.
4 changes: 4 additions & 0 deletions .changesets/11889.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
- feat(dbAuth): Lax SameSite cookie policy (#11889) by @Tobbe

Setting the `SameSite` cookie policy to `Lax` allows users to be immediately
authenticated when arriving from external domains.
Original file line number Diff line number Diff line change
Expand Up @@ -182,7 +182,7 @@ export const handler = async (
attributes: {
HttpOnly: true,
Path: '/',
SameSite: 'Strict',
SameSite: 'Lax',
Secure: process.env.NODE_ENV !== 'development',

// If you need to allow other domains (besides the api side) access to
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -187,7 +187,7 @@ export const handler = async (
attributes: {
HttpOnly: true,
Path: '/',
SameSite: 'Strict',
SameSite: 'Lax',
Secure: process.env.NODE_ENV !== 'development',

// If you need to allow other domains (besides the api side) access to
Expand Down
2 changes: 1 addition & 1 deletion __fixtures__/test-project/api/src/functions/auth.ts
Original file line number Diff line number Diff line change
Expand Up @@ -182,7 +182,7 @@ export const handler = async (
attributes: {
HttpOnly: true,
Path: '/',
SameSite: 'Strict',
SameSite: 'Lax',
Secure: process.env.NODE_ENV !== 'development',

// If you need to allow other domains (besides the api side) access to
Expand Down
6 changes: 3 additions & 3 deletions docs/docs/auth/dbauth.md
Original file line number Diff line number Diff line change
Expand Up @@ -319,7 +319,7 @@ cookie: {
attributes: {
HttpOnly: true,
Path: '/',
SameSite: 'Strict',
SameSite: 'Lax',
Secure: true,
// Domain: 'example.com',
},
Expand Down Expand Up @@ -360,7 +360,7 @@ cookie: {
attributes: {
HttpOnly: true,
Path: '/',
SameSite: 'Strict',
SameSite: 'Lax',
Secure: process.env.NODE_ENV !== 'development' ? true : false,
// highlight-next-line
Domain: 'example.com'
Expand Down Expand Up @@ -564,7 +564,7 @@ export const handler = async (event, context) => {
attributes: {
HttpOnly: true,
Path: '/',
SameSite: 'Strict',
SameSite: 'Lax',
Secure: process.env.NODE_ENV !== 'development' ? true : false,
},
},
Expand Down
2 changes: 1 addition & 1 deletion docs/docs/cors.md
Original file line number Diff line number Diff line change
Expand Up @@ -109,7 +109,7 @@ const authHandler = new DbAuthHandler(event, context, {
cookie: {
HttpOnly: true,
Path: '/',
SameSite: 'Strict',
SameSite: 'Lax',
Secure: true,
},
forgotPassword: forgotPasswordOptions,
Expand Down
4 changes: 2 additions & 2 deletions docs/docs/how-to/oauth.md
Original file line number Diff line number Diff line change
Expand Up @@ -636,7 +636,7 @@ const secureCookie = (user) => {
`Expires=${expires.toUTCString()}`,
'HttpOnly=true',
'Path=/',
'SameSite=Strict',
'SameSite=Lax',
`Secure=${process.env.NODE_ENV !== 'development'}`,
]
const data = JSON.stringify({ id: user.id })
Expand Down Expand Up @@ -731,7 +731,7 @@ const secureCookie = (user) => {
`Expires=${expires.toUTCString()}`,
'HttpOnly=true',
'Path=/',
'SameSite=Strict',
'SameSite=Lax',
`Secure=${process.env.NODE_ENV !== 'development'}`,
]
const data = JSON.stringify({ id: user.id })
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2568,7 +2568,7 @@ describe('dbAuth', () => {
attributes: {
Path: '/',
HttpOnly: true,
SameSite: 'Strict',
SameSite: 'Lax',
Secure: true,
Domain: 'example.com',
},
Expand All @@ -2580,7 +2580,7 @@ describe('dbAuth', () => {
expect(attributes.length).toEqual(6)
expect(attributes[0]).toEqual('Path=/')
expect(attributes[1]).toEqual('HttpOnly')
expect(attributes[2]).toEqual('SameSite=Strict')
expect(attributes[2]).toEqual('SameSite=Lax')
expect(attributes[3]).toEqual('Secure')
expect(attributes[4]).toEqual('Domain=example.com')
expect(attributes[5]).toMatch(`Expires=`)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2367,7 +2367,7 @@ describe('dbAuth', () => {
attributes: {
Path: '/',
HttpOnly: true,
SameSite: 'Strict',
SameSite: 'Lax',
Secure: true,
Domain: 'example.com',
},
Expand All @@ -2380,7 +2380,7 @@ describe('dbAuth', () => {
expect(attributes.length).toEqual(6)
expect(attributes[0]).toEqual('Path=/')
expect(attributes[1]).toEqual('HttpOnly')
expect(attributes[2]).toEqual('SameSite=Strict')
expect(attributes[2]).toEqual('SameSite=Lax')
expect(attributes[3]).toEqual('Secure')
expect(attributes[4]).toEqual('Domain=example.com')
expect(attributes[5]).toMatch(`Expires=`)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -187,7 +187,7 @@ export const handler = async (
attributes: {
HttpOnly: true,
Path: '/',
SameSite: 'Strict',
SameSite: 'Lax',
Secure: process.env.NODE_ENV !== 'development',

// If you need to allow other domains (besides the api side) access to
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -177,7 +177,7 @@ export const handler = async (
attributes: {
HttpOnly: true,
Path: '/',
SameSite: 'Strict',
SameSite: 'Lax',
Secure: process.env.NODE_ENV !== 'development' ? true : false,

// If you need to allow other domains (besides the api side) access to
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -172,7 +172,7 @@ export const handler = async (
attributes: {
HttpOnly: true,
Path: '/',
SameSite: 'Strict',
SameSite: 'Lax',
Secure: process.env.NODE_ENV !== 'development' ? true : false,

// If you need to allow other domains (besides the api side) access to
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -177,7 +177,7 @@ export const handler = async (
attributes: {
HttpOnly: true,
Path: '/',
SameSite: 'Strict',
SameSite: 'Lax',
Secure: process.env.NODE_ENV !== 'development' ? true : false,

// If you need to allow other domains (besides the api side) access to
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -268,7 +268,7 @@ test('Retrieving request details in a', async ({ page }) => {
expires: Math.floor(Date.now() / 1000) + 300, // 5 minutes from now in seconds
secure: true,
httpOnly: true,
sameSite: 'Strict',
sameSite: 'Lax',
},
])

Expand Down

0 comments on commit 0498299

Please sign in to comment.