feat(dbAuth): Lax SameSite cookie policy

Tobbe · Jan 9, 2025 · 35120d2 · 35120d2
1 parent f66ca2e
commit 35120d2
Show file tree

Hide file tree

Showing 12 changed files with 14 additions and 14 deletions.
diff --git a/__fixtures__/fragment-test-project/api/src/functions/auth.ts b/__fixtures__/fragment-test-project/api/src/functions/auth.ts
@@ -182,7 +182,7 @@ export const handler = async (
       attributes: {
         HttpOnly: true,
         Path: '/',
-        SameSite: 'Strict',
+        SameSite: 'Lax',
         Secure: process.env.NODE_ENV !== 'development',
 
         // If you need to allow other domains (besides the api side) access to

diff --git a/__fixtures__/test-project-rsc-kitchen-sink/api/src/functions/auth.ts b/__fixtures__/test-project-rsc-kitchen-sink/api/src/functions/auth.ts
@@ -187,7 +187,7 @@ export const handler = async (
       attributes: {
         HttpOnly: true,
         Path: '/',
-        SameSite: 'Strict',
+        SameSite: 'Lax',
         Secure: process.env.NODE_ENV !== 'development',
 
         // If you need to allow other domains (besides the api side) access to

diff --git a/__fixtures__/test-project/api/src/functions/auth.ts b/__fixtures__/test-project/api/src/functions/auth.ts
@@ -182,7 +182,7 @@ export const handler = async (
       attributes: {
         HttpOnly: true,
         Path: '/',
-        SameSite: 'Strict',
+        SameSite: 'Lax',
         Secure: process.env.NODE_ENV !== 'development',
 
         // If you need to allow other domains (besides the api side) access to

diff --git a/docs/docs/auth/dbauth.md b/docs/docs/auth/dbauth.md
@@ -319,7 +319,7 @@ cookie: {
   attributes: {
     HttpOnly: true,
     Path: '/',
-    SameSite: 'Strict',
+    SameSite: 'Lax',
     Secure: true,
     // Domain: 'example.com',
   },
@@ -360,7 +360,7 @@ cookie: {
   attributes: {
     HttpOnly: true,
     Path: '/',
-    SameSite: 'Strict',
+    SameSite: 'Lax',
     Secure: process.env.NODE_ENV !== 'development' ? true : false,
     // highlight-next-line
     Domain: 'example.com'
@@ -564,7 +564,7 @@ export const handler = async (event, context) => {
       attributes: {
         HttpOnly: true,
         Path: '/',
-        SameSite: 'Strict',
+        SameSite: 'Lax',
         Secure: process.env.NODE_ENV !== 'development' ? true : false,
       },
     },

diff --git a/docs/docs/cors.md b/docs/docs/cors.md
@@ -109,7 +109,7 @@ const authHandler = new DbAuthHandler(event, context, {
   cookie: {
     HttpOnly: true,
     Path: '/',
-    SameSite: 'Strict',
+    SameSite: 'Lax',
     Secure: true,
   },
   forgotPassword: forgotPasswordOptions,

diff --git a/packages/auth-providers/dbAuth/api/src/__tests__/DbAuthHandler.fetch.test.js b/packages/auth-providers/dbAuth/api/src/__tests__/DbAuthHandler.fetch.test.js
@@ -2568,7 +2568,7 @@ describe('dbAuth', () => {
             attributes: {
               Path: '/',
               HttpOnly: true,
-              SameSite: 'Strict',
+              SameSite: 'Lax',
               Secure: true,
               Domain: 'example.com',
             },

diff --git a/packages/auth-providers/dbAuth/api/src/__tests__/DbAuthHandler.test.js b/packages/auth-providers/dbAuth/api/src/__tests__/DbAuthHandler.test.js
@@ -2367,7 +2367,7 @@ describe('dbAuth', () => {
             attributes: {
               Path: '/',
               HttpOnly: true,
-              SameSite: 'Strict',
+              SameSite: 'Lax',
               Secure: true,
               Domain: 'example.com',
             },

diff --git a/packages/auth-providers/dbAuth/setup/src/templates/api/functions/auth.ts.template b/packages/auth-providers/dbAuth/setup/src/templates/api/functions/auth.ts.template
@@ -187,7 +187,7 @@ export const handler = async (
       attributes: {
         HttpOnly: true,
         Path: '/',
-        SameSite: 'Strict',
+        SameSite: 'Lax',
         Secure: process.env.NODE_ENV !== 'development',
 
         // If you need to allow other domains (besides the api side) access to

diff --git a/packages/auth-providers/dbAuth/setup/src/templates/api/functions/auth.webAuthn.ts.template b/packages/auth-providers/dbAuth/setup/src/templates/api/functions/auth.webAuthn.ts.template
@@ -177,7 +177,7 @@ export const handler = async (
       attributes: {
         HttpOnly: true,
         Path: '/',
-        SameSite: 'Strict',
+        SameSite: 'Lax',
         Secure: process.env.NODE_ENV !== 'development' ? true : false,
 
         // If you need to allow other domains (besides the api side) access to

diff --git a/...-helpers/src/auth/__tests__/fixtures/dbAuthSetup/templates/api/functions/auth.ts.template b/...-helpers/src/auth/__tests__/fixtures/dbAuthSetup/templates/api/functions/auth.ts.template
@@ -172,7 +172,7 @@ export const handler = async (
       attributes: {
         HttpOnly: true,
         Path: '/',
-        SameSite: 'Strict',
+        SameSite: 'Lax',
         Secure: process.env.NODE_ENV !== 'development' ? true : false,
 
         // If you need to allow other domains (besides the api side) access to

diff --git a/...src/auth/__tests__/fixtures/dbAuthSetup/templates/api/functions/auth.webAuthn.ts.template b/...src/auth/__tests__/fixtures/dbAuthSetup/templates/api/functions/auth.webAuthn.ts.template
@@ -177,7 +177,7 @@ export const handler = async (
       attributes: {
         HttpOnly: true,
         Path: '/',
-        SameSite: 'Strict',
+        SameSite: 'Lax',
         Secure: process.env.NODE_ENV !== 'development' ? true : false,
 
         // If you need to allow other domains (besides the api side) access to

diff --git a/tasks/smoke-tests/rsc-kitchen-sink/tests/rsc-kitchen-sink.spec.ts b/tasks/smoke-tests/rsc-kitchen-sink/tests/rsc-kitchen-sink.spec.ts
@@ -268,7 +268,7 @@ test('Retrieving request details in a', async ({ page }) => {
       expires: Math.floor(Date.now() / 1000) + 300, // 5 minutes from now in seconds
       secure: true,
       httpOnly: true,
-      sameSite: 'Strict',
+      sameSite: 'Lax',
     },
   ])