Skip to content

fix: add explicit security options to OAuth cookies to prevent state mismatch errors #463

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

fix: add explicit security options to OAuth cookies to prevent state mismatch errors #463

wants to merge 4 commits into from

Conversation

bisand
Copy link
Contributor

@bisand bisand commented Oct 11, 2025

Fix: Add proper security options to OAuth state and PKCE cookies

The Problem
The OAuth state and PKCE verifier cookies were being set without any explicit options, which caused two main issues:

Security vulnerabilities:

  • Cookies were accessible to JavaScript (XSS risk)
  • Cookies could be sent over HTTP (man-in-the-middle risk)
  • No CSRF protection

Browser compatibility:

  • Modern browsers have started enforcing stricter cookie policies by default
  • Without explicit sameSite settings, some browsers drop cookies during OAuth redirects
  • This caused "state mismatch" errors, especially with providers like Okta

What This PR Does:

Adds explicit cookie security options to both handleState() and handlePkceVerifier():

setCookie(event, 'nuxt-auth-state', state, {
  httpOnly: true,
  secure: process.env.NODE_ENV !== 'development',
  sameSite: 'lax',
  maxAge: 60 * 10, // 10 minutes
  path: '/',
})

Why these specific options:

  • httpOnly: true - Prevents JavaScript access, blocks XSS attacks
  • secure: true in production - HTTPS only when it matters
  • sameSite: 'lax' - Allows cookies during OAuth redirects while preventing CSRF
  • maxAge: 600 - OAuth flows should complete within 10 minutes
  • path: '/' - Available across the entire application

Impact

This affects all OAuth providers in the library (GitHub, Google, Microsoft, Azure B2C, Okta, Auth0, Keycloak, etc.) since they all use these utility functions.

No breaking changes - the functions work exactly the same, just more securely.

Why !== 'development' instead of === 'production'
Using the negative check means if NODE_ENV is undefined or misspelled, cookies default to secure mode. Better to have secure cookies break local dev (easy to fix) than accidentally ship insecure cookies to production.

Testing
Tested OAuth flows with several providers in both dev and production modes. The state mismatch errors are gone, and cookies are properly secured.

github-actions bot and others added 3 commits October 11, 2025 18:53
@github-actions
fix: add proper cookie options to OAuth state cookie
26196ce 
The OAuth state cookie was being set without explicit options, which
caused it to be lost during OAuth redirects in some browsers due to
default SameSite policies.

This fix adds:
- httpOnly: true - Prevents XSS attacks
- secure: true (production) - HTTPS only in production
- sameSite: 'lax' - Critical: allows cookie during OAuth redirects
- maxAge: 600 seconds - OAuth should complete within 10 minutes
- path: '/' - Available across all paths

Fixes state mismatch errors during OAuth authentication flow.

Related issue: OAuth state cookie being lost during Okta redirects
causing 'state mismatch' errors on first authentication attempt.
@bisand
fix: update cookie security settings for development environment
d18740b
@bisand
fix: enhance PKCE cookie security settings
da932a8
@Copilot Copilot AI review requested due to automatic review settings October 11, 2025 21:20
Copilot
Copilot AI reviewed Oct 11, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR fixes OAuth security vulnerabilities and browser compatibility issues by adding explicit security options to OAuth state and PKCE verifier cookies. The changes prevent state mismatch errors that were occurring with modern browsers, particularly with providers like Okta.

Key changes:

  • Added comprehensive cookie security options to handlePkceVerifier() and handleState() functions
  • Implemented httpOnly, secure, sameSite, maxAge, and path options for both OAuth cookies
  • Used environment-based secure flag configuration for development vs production

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@pkg-pr-new pkg.pr.new
Copy link

pkg-pr-new bot commented Oct 11, 2025

Open in StackBlitz

npm i https://pkg.pr.new/atinux/nuxt-auth-utils@463

commit: 8f9134e

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bisand