From 04982992cf99af4070ae106bd1b7b92cf75ea6ce Mon Sep 17 00:00:00 2001 From: Tobbe Lundberg Date: Thu, 9 Jan 2025 14:06:53 +0700 Subject: [PATCH] feat(dbAuth): Lax SameSite cookie policy (#11889) --- .changesets/11889.md | 4 ++++ .../fragment-test-project/api/src/functions/auth.ts | 2 +- .../test-project-rsc-kitchen-sink/api/src/functions/auth.ts | 2 +- __fixtures__/test-project/api/src/functions/auth.ts | 2 +- docs/docs/auth/dbauth.md | 6 +++--- docs/docs/cors.md | 2 +- docs/docs/how-to/oauth.md | 4 ++-- .../dbAuth/api/src/__tests__/DbAuthHandler.fetch.test.js | 4 ++-- .../dbAuth/api/src/__tests__/DbAuthHandler.test.js | 4 ++-- .../setup/src/templates/api/functions/auth.ts.template | 2 +- .../src/templates/api/functions/auth.webAuthn.ts.template | 2 +- .../dbAuthSetup/templates/api/functions/auth.ts.template | 2 +- .../templates/api/functions/auth.webAuthn.ts.template | 2 +- .../rsc-kitchen-sink/tests/rsc-kitchen-sink.spec.ts | 2 +- 14 files changed, 22 insertions(+), 18 deletions(-) create mode 100644 .changesets/11889.md diff --git a/.changesets/11889.md b/.changesets/11889.md new file mode 100644 index 000000000000..8a50e8e194a3 --- /dev/null +++ b/.changesets/11889.md @@ -0,0 +1,4 @@ +- feat(dbAuth): Lax SameSite cookie policy (#11889) by @Tobbe + +Setting the `SameSite` cookie policy to `Lax` allows users to be immediately +authenticated when arriving from external domains. diff --git a/__fixtures__/fragment-test-project/api/src/functions/auth.ts b/__fixtures__/fragment-test-project/api/src/functions/auth.ts index d71b437e9802..fd5a3a279e54 100644 --- a/__fixtures__/fragment-test-project/api/src/functions/auth.ts +++ b/__fixtures__/fragment-test-project/api/src/functions/auth.ts @@ -182,7 +182,7 @@ export const handler = async ( attributes: { HttpOnly: true, Path: '/', - SameSite: 'Strict', + SameSite: 'Lax', Secure: process.env.NODE_ENV !== 'development', // If you need to allow other domains (besides the api side) access to diff --git a/__fixtures__/test-project-rsc-kitchen-sink/api/src/functions/auth.ts b/__fixtures__/test-project-rsc-kitchen-sink/api/src/functions/auth.ts index 667c57a51337..406d1f723bb2 100644 --- a/__fixtures__/test-project-rsc-kitchen-sink/api/src/functions/auth.ts +++ b/__fixtures__/test-project-rsc-kitchen-sink/api/src/functions/auth.ts @@ -187,7 +187,7 @@ export const handler = async ( attributes: { HttpOnly: true, Path: '/', - SameSite: 'Strict', + SameSite: 'Lax', Secure: process.env.NODE_ENV !== 'development', // If you need to allow other domains (besides the api side) access to diff --git a/__fixtures__/test-project/api/src/functions/auth.ts b/__fixtures__/test-project/api/src/functions/auth.ts index d71b437e9802..fd5a3a279e54 100644 --- a/__fixtures__/test-project/api/src/functions/auth.ts +++ b/__fixtures__/test-project/api/src/functions/auth.ts @@ -182,7 +182,7 @@ export const handler = async ( attributes: { HttpOnly: true, Path: '/', - SameSite: 'Strict', + SameSite: 'Lax', Secure: process.env.NODE_ENV !== 'development', // If you need to allow other domains (besides the api side) access to diff --git a/docs/docs/auth/dbauth.md b/docs/docs/auth/dbauth.md index 357c19da8c3d..94d2c4307d13 100644 --- a/docs/docs/auth/dbauth.md +++ b/docs/docs/auth/dbauth.md @@ -319,7 +319,7 @@ cookie: { attributes: { HttpOnly: true, Path: '/', - SameSite: 'Strict', + SameSite: 'Lax', Secure: true, // Domain: 'example.com', }, @@ -360,7 +360,7 @@ cookie: { attributes: { HttpOnly: true, Path: '/', - SameSite: 'Strict', + SameSite: 'Lax', Secure: process.env.NODE_ENV !== 'development' ? true : false, // highlight-next-line Domain: 'example.com' @@ -564,7 +564,7 @@ export const handler = async (event, context) => { attributes: { HttpOnly: true, Path: '/', - SameSite: 'Strict', + SameSite: 'Lax', Secure: process.env.NODE_ENV !== 'development' ? true : false, }, }, diff --git a/docs/docs/cors.md b/docs/docs/cors.md index 3781aeb19fe2..d3949c57203d 100644 --- a/docs/docs/cors.md +++ b/docs/docs/cors.md @@ -109,7 +109,7 @@ const authHandler = new DbAuthHandler(event, context, { cookie: { HttpOnly: true, Path: '/', - SameSite: 'Strict', + SameSite: 'Lax', Secure: true, }, forgotPassword: forgotPasswordOptions, diff --git a/docs/docs/how-to/oauth.md b/docs/docs/how-to/oauth.md index da9ad9f65ee9..f1b6965e580e 100644 --- a/docs/docs/how-to/oauth.md +++ b/docs/docs/how-to/oauth.md @@ -636,7 +636,7 @@ const secureCookie = (user) => { `Expires=${expires.toUTCString()}`, 'HttpOnly=true', 'Path=/', - 'SameSite=Strict', + 'SameSite=Lax', `Secure=${process.env.NODE_ENV !== 'development'}`, ] const data = JSON.stringify({ id: user.id }) @@ -731,7 +731,7 @@ const secureCookie = (user) => { `Expires=${expires.toUTCString()}`, 'HttpOnly=true', 'Path=/', - 'SameSite=Strict', + 'SameSite=Lax', `Secure=${process.env.NODE_ENV !== 'development'}`, ] const data = JSON.stringify({ id: user.id }) diff --git a/packages/auth-providers/dbAuth/api/src/__tests__/DbAuthHandler.fetch.test.js b/packages/auth-providers/dbAuth/api/src/__tests__/DbAuthHandler.fetch.test.js index 17f17ffda554..a9d5e2852a9c 100644 --- a/packages/auth-providers/dbAuth/api/src/__tests__/DbAuthHandler.fetch.test.js +++ b/packages/auth-providers/dbAuth/api/src/__tests__/DbAuthHandler.fetch.test.js @@ -2568,7 +2568,7 @@ describe('dbAuth', () => { attributes: { Path: '/', HttpOnly: true, - SameSite: 'Strict', + SameSite: 'Lax', Secure: true, Domain: 'example.com', }, @@ -2580,7 +2580,7 @@ describe('dbAuth', () => { expect(attributes.length).toEqual(6) expect(attributes[0]).toEqual('Path=/') expect(attributes[1]).toEqual('HttpOnly') - expect(attributes[2]).toEqual('SameSite=Strict') + expect(attributes[2]).toEqual('SameSite=Lax') expect(attributes[3]).toEqual('Secure') expect(attributes[4]).toEqual('Domain=example.com') expect(attributes[5]).toMatch(`Expires=`) diff --git a/packages/auth-providers/dbAuth/api/src/__tests__/DbAuthHandler.test.js b/packages/auth-providers/dbAuth/api/src/__tests__/DbAuthHandler.test.js index 7bd2d2c52b94..7803350afcda 100644 --- a/packages/auth-providers/dbAuth/api/src/__tests__/DbAuthHandler.test.js +++ b/packages/auth-providers/dbAuth/api/src/__tests__/DbAuthHandler.test.js @@ -2367,7 +2367,7 @@ describe('dbAuth', () => { attributes: { Path: '/', HttpOnly: true, - SameSite: 'Strict', + SameSite: 'Lax', Secure: true, Domain: 'example.com', }, @@ -2380,7 +2380,7 @@ describe('dbAuth', () => { expect(attributes.length).toEqual(6) expect(attributes[0]).toEqual('Path=/') expect(attributes[1]).toEqual('HttpOnly') - expect(attributes[2]).toEqual('SameSite=Strict') + expect(attributes[2]).toEqual('SameSite=Lax') expect(attributes[3]).toEqual('Secure') expect(attributes[4]).toEqual('Domain=example.com') expect(attributes[5]).toMatch(`Expires=`) diff --git a/packages/auth-providers/dbAuth/setup/src/templates/api/functions/auth.ts.template b/packages/auth-providers/dbAuth/setup/src/templates/api/functions/auth.ts.template index 667c57a51337..406d1f723bb2 100644 --- a/packages/auth-providers/dbAuth/setup/src/templates/api/functions/auth.ts.template +++ b/packages/auth-providers/dbAuth/setup/src/templates/api/functions/auth.ts.template @@ -187,7 +187,7 @@ export const handler = async ( attributes: { HttpOnly: true, Path: '/', - SameSite: 'Strict', + SameSite: 'Lax', Secure: process.env.NODE_ENV !== 'development', // If you need to allow other domains (besides the api side) access to diff --git a/packages/auth-providers/dbAuth/setup/src/templates/api/functions/auth.webAuthn.ts.template b/packages/auth-providers/dbAuth/setup/src/templates/api/functions/auth.webAuthn.ts.template index dd83f56d188a..f97fe3fd77d1 100644 --- a/packages/auth-providers/dbAuth/setup/src/templates/api/functions/auth.webAuthn.ts.template +++ b/packages/auth-providers/dbAuth/setup/src/templates/api/functions/auth.webAuthn.ts.template @@ -177,7 +177,7 @@ export const handler = async ( attributes: { HttpOnly: true, Path: '/', - SameSite: 'Strict', + SameSite: 'Lax', Secure: process.env.NODE_ENV !== 'development' ? true : false, // If you need to allow other domains (besides the api side) access to diff --git a/packages/cli-helpers/src/auth/__tests__/fixtures/dbAuthSetup/templates/api/functions/auth.ts.template b/packages/cli-helpers/src/auth/__tests__/fixtures/dbAuthSetup/templates/api/functions/auth.ts.template index 8fd16f7f5f34..320f16357c83 100644 --- a/packages/cli-helpers/src/auth/__tests__/fixtures/dbAuthSetup/templates/api/functions/auth.ts.template +++ b/packages/cli-helpers/src/auth/__tests__/fixtures/dbAuthSetup/templates/api/functions/auth.ts.template @@ -172,7 +172,7 @@ export const handler = async ( attributes: { HttpOnly: true, Path: '/', - SameSite: 'Strict', + SameSite: 'Lax', Secure: process.env.NODE_ENV !== 'development' ? true : false, // If you need to allow other domains (besides the api side) access to diff --git a/packages/cli-helpers/src/auth/__tests__/fixtures/dbAuthSetup/templates/api/functions/auth.webAuthn.ts.template b/packages/cli-helpers/src/auth/__tests__/fixtures/dbAuthSetup/templates/api/functions/auth.webAuthn.ts.template index aff737384bed..00b9ca81e43e 100644 --- a/packages/cli-helpers/src/auth/__tests__/fixtures/dbAuthSetup/templates/api/functions/auth.webAuthn.ts.template +++ b/packages/cli-helpers/src/auth/__tests__/fixtures/dbAuthSetup/templates/api/functions/auth.webAuthn.ts.template @@ -177,7 +177,7 @@ export const handler = async ( attributes: { HttpOnly: true, Path: '/', - SameSite: 'Strict', + SameSite: 'Lax', Secure: process.env.NODE_ENV !== 'development' ? true : false, // If you need to allow other domains (besides the api side) access to diff --git a/tasks/smoke-tests/rsc-kitchen-sink/tests/rsc-kitchen-sink.spec.ts b/tasks/smoke-tests/rsc-kitchen-sink/tests/rsc-kitchen-sink.spec.ts index 6098a36f304a..ecfdf2065cb8 100644 --- a/tasks/smoke-tests/rsc-kitchen-sink/tests/rsc-kitchen-sink.spec.ts +++ b/tasks/smoke-tests/rsc-kitchen-sink/tests/rsc-kitchen-sink.spec.ts @@ -268,7 +268,7 @@ test('Retrieving request details in a', async ({ page }) => { expires: Math.floor(Date.now() / 1000) + 300, // 5 minutes from now in seconds secure: true, httpOnly: true, - sameSite: 'Strict', + sameSite: 'Lax', }, ])