From 385949c2e2c0b66a2dd0036d2815f534cc6adfa1 Mon Sep 17 00:00:00 2001 From: Scott Trinh Date: Fri, 3 May 2024 13:18:57 -0400 Subject: [PATCH] Expire auth token and PKCE cookies (#994) Get the expiration date from the auth token and set the cookie to expire when the token itself expires. PKCE sessions are slightly different. In some contexts, we do not start the session itself until a middle point in the flow, like with email verification, the session starts on the auth server once the verification token is sent to the server, not when the email is sent by the server to the email recipient. Since the verification token has a lifespan of 24 hours at the moment, the expiration is longer than the PKCE session lifespan which is currently 10 minutes. So instead of trying to chase the smallest window of time we can, we set it to a reasonable level: one week after which the PKCE verifier cookie is expired, requiring whatever flow has begun to be retried. --- packages/auth-express/src/index.ts | 120 ++++++------------ packages/auth-nextjs/package.json | 2 +- packages/auth-nextjs/src/app/index.ts | 6 +- packages/auth-nextjs/src/shared.ts | 25 ++-- packages/auth-remix/src/server.ts | 168 ++++++-------------------- packages/auth-sveltekit/src/server.ts | 56 ++++----- 6 files changed, 121 insertions(+), 256 deletions(-) diff --git a/packages/auth-express/src/index.ts b/packages/auth-express/src/index.ts index 8e651c2e6..95c41a82e 100644 --- a/packages/auth-express/src/index.ts +++ b/packages/auth-express/src/index.ts @@ -88,6 +88,26 @@ export class ExpressAuth { return Auth.checkPasswordResetTokenValid(resetToken); }; + private createVerifierCookie = (res: ExpressResponse, verifier: string) => { + const expires = new Date(Date.now() + 1000 * 60 * 24 * 7); // In 7 days + res.cookie(this.options.pkceVerifierCookieName, verifier, { + httpOnly: true, + path: "/", + sameSite: "strict", + expires, + }); + }; + + private createAuthCookie = (res: ExpressResponse, authToken: string) => { + const expires = Auth.getTokenExpiration(authToken); + res.cookie(this.options.authCookieName, authToken, { + httpOnly: true, + path: "/", + sameSite: "strict", + expires: expires ?? undefined, + }); + }; + getSession = (req: ExpressRequest) => { const authCookie = req.cookies[this.options.authCookieName]; @@ -265,13 +285,7 @@ export class ExpressAuth { const pkceSession = await this.core.then((core) => core.createPKCESession() ); - res.cookie( - this.options.pkceVerifierCookieName, - pkceSession.verifier, - { - httpOnly: true, - } - ); + this.createVerifierCookie(res, pkceSession.verifier); res.redirect( pkceSession.getOAuthUrl( provider, @@ -316,10 +330,7 @@ export class ExpressAuth { } const isSignUp = searchParams.get("isSignUp") === "true"; const tokenData = await (await this.core).getToken(code, verifier); - res.cookie(this.options.authCookieName, tokenData.auth_token, { - httpOnly: true, - sameSite: "lax", - }); + this.createAuthCookie(res, tokenData.auth_token); res.clearCookie(this.options.pkceVerifierCookieName); req.session = new ExpressAuthSession(this.client, tokenData.auth_token); @@ -345,9 +356,7 @@ export class ExpressAuth { const pkceSession = await this.core.then((core) => core.createPKCESession() ); - res.cookie(this.options.pkceVerifierCookieName, pkceSession.verifier, { - httpOnly: true, - }); + this.createVerifierCookie(res, pkceSession.verifier); res.redirect(pkceSession.getHostedUISigninUrl()); } catch (err) { next(err); @@ -362,9 +371,7 @@ export class ExpressAuth { const pkceSession = await this.core.then((core) => core.createPKCESession() ); - res.cookie(this.options.pkceVerifierCookieName, pkceSession.verifier, { - httpOnly: true, - }); + this.createVerifierCookie(res, pkceSession.verifier); res.redirect(pkceSession.getHostedUISignupUrl()); } catch (err) { next(err); @@ -400,10 +407,7 @@ export class ExpressAuth { } const isSignUp = searchParams.get("isSignUp") === "true"; const tokenData = await (await this.core).getToken(code, verifier); - res.cookie(this.options.authCookieName, tokenData.auth_token, { - httpOnly: true, - sameSite: "lax", - }); + this.createAuthCookie(res, tokenData.auth_token); res.clearCookie(this.options.pkceVerifierCookieName); req.session = new ExpressAuthSession(this.client, tokenData.auth_token); @@ -434,10 +438,7 @@ export class ExpressAuth { const tokenData = await ( await this.core ).signinWithEmailPassword(email, password); - res.cookie(this.options.authCookieName, tokenData.auth_token, { - httpOnly: true, - sameSite: "strict", - }); + this.createAuthCookie(res, tokenData.auth_token); req.session = new ExpressAuthSession(this.client, tokenData.auth_token); req.tokenData = tokenData; next(); @@ -457,19 +458,9 @@ export class ExpressAuth { const result = await ( await this.core ).signupWithEmailPassword(email, password, verifyUrl); - res.cookie(this.options.pkceVerifierCookieName, result.verifier, { - httpOnly: true, - sameSite: "strict", - }); + this.createVerifierCookie(res, result.verifier); if (result.status === "complete") { - res.cookie( - this.options.authCookieName, - result.tokenData.auth_token, - { - httpOnly: true, - sameSite: "strict", - } - ); + this.createAuthCookie(res, result.tokenData.auth_token); req.session = new ExpressAuthSession( this.client, result.tokenData.auth_token @@ -501,10 +492,7 @@ export class ExpressAuth { const tokenData = await ( await this.core ).verifyEmailPasswordSignup(verificationToken, verifier); - res.cookie(this.options.authCookieName, tokenData.auth_token, { - httpOnly: true, - sameSite: "strict", - }); + this.createAuthCookie(res, tokenData.auth_token); res.clearCookie(this.options.pkceVerifierCookieName); req.session = new ExpressAuthSession(this.client, tokenData.auth_token); @@ -526,10 +514,7 @@ export class ExpressAuth { const { verifier } = await ( await this.core ).sendPasswordResetEmail(email, passwordResetUrl); - res.cookie(this.options.pkceVerifierCookieName, verifier, { - httpOnly: true, - sameSite: "strict", - }); + this.createVerifierCookie(res, verifier); res.status(204); next(); } catch (err) { @@ -555,10 +540,7 @@ export class ExpressAuth { const tokenData = await ( await this.core ).resetPasswordWithResetToken(resetToken, verifier, password); - res.cookie(this.options.authCookieName, tokenData.auth_token, { - httpOnly: true, - sameSite: "strict", - }); + this.createAuthCookie(res, tokenData.auth_token); res.clearCookie(this.options.pkceVerifierCookieName); req.session = new ExpressAuthSession(this.client, tokenData.auth_token); req.tokenData = tokenData; @@ -592,10 +574,7 @@ export class ExpressAuth { const { verifier } = await ( await this.core ).resendVerificationEmailForEmail(email, verifyUrl); - res.cookie(this.options.pkceVerifierCookieName, verifier, { - httpOnly: true, - sameSite: "strict", - }); + this.createVerifierCookie(res, verifier); } else { throw new InvalidDataError( "verification_token or email missing from request body" @@ -633,10 +612,7 @@ export class ExpressAuth { throw new PKCEError("no pkce verifier cookie found"); } const tokenData = await (await this.core).getToken(code, verifier); - res.cookie(this.options.authCookieName, tokenData.auth_token, { - httpOnly: true, - sameSite: "strict", - }); + this.createAuthCookie(res, tokenData.auth_token); res.clearCookie(this.options.pkceVerifierCookieName); req.session = new ExpressAuthSession(this.client, tokenData.auth_token); @@ -666,10 +642,7 @@ export class ExpressAuth { const { verifier } = await ( await this.core ).signupWithMagicLink(email, callbackUrl, failureUrl); - res.cookie(this.options.pkceVerifierCookieName, verifier, { - httpOnly: true, - sameSite: "strict", - }); + this.createVerifierCookie(res, verifier); next(); } catch (err) { next(err); @@ -694,10 +667,7 @@ export class ExpressAuth { const { verifier } = await ( await this.core ).signinWithMagicLink(email, callbackUrl, failureUrl); - res.cookie(this.options.pkceVerifierCookieName, verifier, { - httpOnly: true, - sameSite: "strict", - }); + this.createVerifierCookie(res, verifier); next(); } catch (err) { next(err); @@ -724,10 +694,7 @@ export class ExpressAuth { const tokenData = await ( await this.core ).verifyWebAuthnSignup(verificationToken, verifier); - res.cookie(this.options.authCookieName, tokenData.auth_token, { - httpOnly: true, - sameSite: "strict", - }); + this.createAuthCookie(res, tokenData.auth_token); res.clearCookie(this.options.pkceVerifierCookieName); req.session = new ExpressAuthSession(this.client, tokenData.auth_token); @@ -764,10 +731,7 @@ export class ExpressAuth { const tokenData = await ( await this.core ).signinWithWebAuthn(email, assertion); - res.cookie(this.options.authCookieName, tokenData.auth_token, { - httpOnly: true, - sameSite: "strict", - }); + this.createAuthCookie(res, tokenData.auth_token); req.session = new ExpressAuthSession(this.client, tokenData.auth_token); req.tokenData = tokenData; next(); @@ -803,16 +767,10 @@ export class ExpressAuth { await this.core ).signupWithWebAuthn(email, credentials, verify_url, user_handle); const verifier = result.verifier; - res.cookie(this.options.pkceVerifierCookieName, verifier, { - httpOnly: true, - sameSite: "strict", - }); + this.createVerifierCookie(res, verifier); if (result.status === "complete") { - res.cookie(this.options.authCookieName, result.tokenData.auth_token, { - httpOnly: true, - sameSite: "strict", - }); + this.createAuthCookie(res, result.tokenData.auth_token); req.session = new ExpressAuthSession( this.client, result.tokenData.auth_token diff --git a/packages/auth-nextjs/package.json b/packages/auth-nextjs/package.json index c4d3ed777..a767bd426 100644 --- a/packages/auth-nextjs/package.json +++ b/packages/auth-nextjs/package.json @@ -36,6 +36,6 @@ "react": "^18.2.0" }, "dependencies": { - "@edgedb/auth-core": "0.2.0" + "@edgedb/auth-core": "0.2.1" } } diff --git a/packages/auth-nextjs/src/app/index.ts b/packages/auth-nextjs/src/app/index.ts index cbb92bf89..806c1a4a7 100644 --- a/packages/auth-nextjs/src/app/index.ts +++ b/packages/auth-nextjs/src/app/index.ts @@ -51,7 +51,7 @@ export class NextAppAuth extends NextAuth { const tokenData = await ( await this.core ).signinWithEmailPassword(email, password); - this.setSessionCookie(tokenData.auth_token); + this.setAuthCookie(tokenData.auth_token); return tokenData; }, emailPasswordSignUp: async ( @@ -71,7 +71,7 @@ export class NextAppAuth extends NextAuth { ); this.setVerifierCookie(result.verifier); if (result.status === "complete") { - this.setSessionCookie(result.tokenData.auth_token); + this.setAuthCookie(result.tokenData.auth_token); return result.tokenData; } return null; @@ -113,7 +113,7 @@ export class NextAppAuth extends NextAuth { const tokenData = await ( await this.core ).resetPasswordWithResetToken(resetToken, verifier, password); - this.setSessionCookie(tokenData.auth_token); + this.setAuthCookie(tokenData.auth_token); cookies().delete(this.options.pkceVerifierCookieName); return tokenData; }, diff --git a/packages/auth-nextjs/src/shared.ts b/packages/auth-nextjs/src/shared.ts index bc1cdbec6..b47bff849 100644 --- a/packages/auth-nextjs/src/shared.ts +++ b/packages/auth-nextjs/src/shared.ts @@ -118,10 +118,12 @@ export abstract class NextAuth extends NextAuthHelpers { path: "/", sameSite: "strict", secure: this.isSecure, + expires: Date.now() + 1000 * 60 * 60 * 24 * 7, // In 7 days }); } - setSessionCookie(token: string) { + setAuthCookie(token: string) { + const expirationDate = Auth.getTokenExpiration(token); cookies().set({ name: this.options.authCookieName, value: token, @@ -129,6 +131,7 @@ export abstract class NextAuth extends NextAuthHelpers { sameSite: "strict", path: "/", secure: this.isSecure, + expires: expirationDate ?? undefined, }); } @@ -226,7 +229,7 @@ export abstract class NextAuth extends NextAuthHelpers { req ); } - this.setSessionCookie(tokenData.auth_token); + this.setAuthCookie(tokenData.auth_token); cookies().delete(this.options.pkceVerifierCookieName); return onOAuthCallback( @@ -283,7 +286,7 @@ export abstract class NextAuth extends NextAuthHelpers { req ); } - this.setSessionCookie(tokenData.auth_token); + this.setAuthCookie(tokenData.auth_token); cookies().delete(this.options.pkceVerifierCookieName); return onEmailVerify({ error: null, tokenData }, req); @@ -352,7 +355,7 @@ export abstract class NextAuth extends NextAuthHelpers { req ); } - this.setSessionCookie(tokenData.auth_token); + this.setAuthCookie(tokenData.auth_token); cookies().delete(this.options.pkceVerifierCookieName); return onEmailVerify({ error: null, tokenData }, req); @@ -408,7 +411,7 @@ export abstract class NextAuth extends NextAuthHelpers { req ); } - this.setSessionCookie(tokenData.auth_token); + this.setAuthCookie(tokenData.auth_token); cookies().delete(this.options.pkceVerifierCookieName); return onMagicLinkCallback( @@ -484,7 +487,7 @@ export abstract class NextAuth extends NextAuthHelpers { req ); } - this.setSessionCookie(tokenData.auth_token); + this.setAuthCookie(tokenData.auth_token); cookies().delete(this.options.pkceVerifierCookieName); return onBuiltinUICallback( @@ -555,7 +558,7 @@ export abstract class NextAuth extends NextAuthHelpers { ? _wrapResponse(onEmailPasswordSignIn({ error }, req), isAction) : Response.json(_wrapError(error)); } - this.setSessionCookie(tokenData.auth_token); + this.setAuthCookie(tokenData.auth_token); return _wrapResponse( onEmailPasswordSignIn?.({ error: null, tokenData }, req), isAction @@ -593,7 +596,7 @@ export abstract class NextAuth extends NextAuthHelpers { } this.setVerifierCookie(result.verifier); if (result.status === "complete") { - this.setSessionCookie(result.tokenData.auth_token); + this.setAuthCookie(result.tokenData.auth_token); return _wrapResponse( onEmailPasswordSignUp?.( { @@ -669,7 +672,7 @@ export abstract class NextAuth extends NextAuthHelpers { ? _wrapResponse(onEmailPasswordReset({ error }, req), isAction) : Response.json(_wrapError(error)); } - this.setSessionCookie(tokenData.auth_token); + this.setAuthCookie(tokenData.auth_token); cookies().delete(this.options.pkceVerifierCookieName); return _wrapResponse( onEmailPasswordReset?.({ error: null, tokenData }, req), @@ -740,7 +743,7 @@ export abstract class NextAuth extends NextAuthHelpers { this.setVerifierCookie(result.verifier); if (result.status === "complete") { - this.setSessionCookie(result.tokenData.auth_token); + this.setAuthCookie(result.tokenData.auth_token); return _wrapResponse( onWebAuthnSignUp( { @@ -775,7 +778,7 @@ export abstract class NextAuth extends NextAuthHelpers { const error = err instanceof Error ? err : new Error(String(err)); return _wrapResponse(onWebAuthnSignIn({ error }, req), false); } - this.setSessionCookie(tokenData.auth_token); + this.setAuthCookie(tokenData.auth_token); return _wrapResponse( onWebAuthnSignIn({ error: null, tokenData }, req), false diff --git a/packages/auth-remix/src/server.ts b/packages/auth-remix/src/server.ts index 73777797e..b29c7e8e0 100644 --- a/packages/auth-remix/src/server.ts +++ b/packages/auth-remix/src/server.ts @@ -123,6 +123,26 @@ export class RemixServerAuth extends RemixClientAuth { return (await this.core).getProvidersInfo(); } + private createVerifierCookie(verifier: string) { + const expires = new Date(Date.now() + 1000 * 60 * 24 * 7); // In 7 days + return cookie.serialize(this.options.pkceVerifierCookieName, verifier, { + httpOnly: true, + sameSite: "strict", + path: "/", + expires, + }); + } + + private createAuthCookie(authToken: string) { + const expires = Auth.getTokenExpiration(authToken); + return cookie.serialize(this.options.authCookieName, authToken, { + httpOnly: true, + sameSite: "strict", + path: "/", + expires: expires ?? undefined, + }); + } + createAuthRouteHandlers({ onOAuthCallback, onBuiltinUICallback, @@ -170,11 +190,7 @@ export class RemixServerAuth extends RemixClientAuth { ), { headers: new Headers({ - "Set-Cookie": cookie.serialize( - this.options.pkceVerifierCookieName, - pkceSession.verifier, - { httpOnly: true, path: "/" } - ), + "Set-Cookie": this.createVerifierCookie(pkceSession.verifier), }), } ); @@ -220,11 +236,7 @@ export class RemixServerAuth extends RemixClientAuth { const headers = new Headers(); headers.append( "Set-Cookie", - cookie.serialize( - this.options.authCookieName, - tokenData.auth_token, - { httpOnly: true, sameSite: "lax", path: "/" } - ) + this.createAuthCookie(tokenData.auth_token) ); headers.append( "Set-Cookie", @@ -287,11 +299,7 @@ export class RemixServerAuth extends RemixClientAuth { const headers = new Headers(); headers.append( "Set-Cookie", - cookie.serialize( - this.options.authCookieName, - tokenData.auth_token, - { httpOnly: true, sameSite: "lax", path: "/" } - ) + this.createAuthCookie(tokenData.auth_token) ); headers.append( "Set-Cookie", @@ -361,15 +369,7 @@ export class RemixServerAuth extends RemixClientAuth { const headers = new Headers(); headers.append( "Set-Cookie", - cookie.serialize( - this.options.authCookieName, - tokenData.auth_token, - { - httpOnly: true, - sameSite: "strict", - path: "/", - } - ) + this.createAuthCookie(tokenData.auth_token) ); headers.append( "Set-Cookie", @@ -401,11 +401,7 @@ export class RemixServerAuth extends RemixClientAuth { : pkceSession.getHostedUISigninUrl(), { headers: { - "Set-Cookie": cookie.serialize( - this.options.pkceVerifierCookieName, - pkceSession.verifier, - { httpOnly: true, path: "/" } - ), + "Set-Cookie": this.createVerifierCookie(pkceSession.verifier), }, } ); @@ -443,15 +439,7 @@ export class RemixServerAuth extends RemixClientAuth { }); } const headers = new Headers({ - "Set-Cookie": cookie.serialize( - this.options.authCookieName, - tokenData.auth_token, - { - httpOnly: true, - sameSite: "strict", - path: "/", - } - ), + "Set-Cookie": this.createAuthCookie(tokenData.auth_token), }); return cbCall( onEmailVerify, @@ -515,15 +503,7 @@ export class RemixServerAuth extends RemixClientAuth { }); } const headers = new Headers({ - "Set-Cookie": cookie.serialize( - this.options.authCookieName, - tokenData.auth_token, - { - httpOnly: true, - sameSite: "strict", - path: "/", - } - ), + "Set-Cookie": this.createAuthCookie(tokenData.auth_token), }); return cbCall( onEmailVerify, @@ -611,15 +591,7 @@ export class RemixServerAuth extends RemixClientAuth { headers.append( "Set-Cookie", - cookie.serialize( - this.options.pkceVerifierCookieName, - result.verifier, - { - httpOnly: true, - sameSite: "strict", - path: "/", - } - ) + this.createVerifierCookie(result.verifier) ); if (result.status === "complete") { @@ -627,15 +599,7 @@ export class RemixServerAuth extends RemixClientAuth { headers.append( "Set-Cookie", - cookie.serialize( - this.options.authCookieName, - tokenData.auth_token, - { - httpOnly: true, - sameSite: "strict", - path: "/", - } - ) + this.createAuthCookie(tokenData.auth_token) ); return { tokenData, headers }; } @@ -694,14 +658,7 @@ export class RemixServerAuth extends RemixClientAuth { `${this._authRoute}/emailpassword/verify` ); - headers.append( - "Set-Cookie", - cookie.serialize(this.options.pkceVerifierCookieName, verifier, { - httpOnly: true, - sameSite: "strict", - path: "/", - }) - ); + headers.append("Set-Cookie", this.createVerifierCookie(verifier)); } else { throw new InvalidDataError( "verification_token or email missing. Either one is required." @@ -756,11 +713,7 @@ export class RemixServerAuth extends RemixClientAuth { headers.append( "Set-Cookie", - cookie.serialize(this.options.authCookieName, tokenData.auth_token, { - httpOnly: true, - sameSite: "strict", - path: "/", - }) + this.createAuthCookie(tokenData.auth_token) ); return { tokenData }; @@ -815,11 +768,7 @@ export class RemixServerAuth extends RemixClientAuth { headers.append( "Set-Cookie", - cookie.serialize(this.options.authCookieName, tokenData.auth_token, { - httpOnly: true, - sameSite: "strict", - path: "/", - }) + this.createAuthCookie(tokenData.auth_token) ); return { tokenData }; @@ -894,15 +843,7 @@ export class RemixServerAuth extends RemixClientAuth { headers.append( "Set-Cookie", - cookie.serialize( - this.options.pkceVerifierCookieName, - result.verifier, - { - httpOnly: true, - sameSite: "strict", - path: "/", - } - ) + this.createVerifierCookie(result.verifier) ); if (result.status === "complete") { @@ -910,15 +851,7 @@ export class RemixServerAuth extends RemixClientAuth { headers.append( "Set-Cookie", - cookie.serialize( - this.options.authCookieName, - tokenData.auth_token, - { - httpOnly: true, - sameSite: "strict", - path: "/", - } - ) + this.createAuthCookie(tokenData.auth_token) ); return { tokenData, headers }; } @@ -978,14 +911,7 @@ export class RemixServerAuth extends RemixClientAuth { ).toString() ); - headers.append( - "Set-Cookie", - cookie.serialize(this.options.pkceVerifierCookieName, verifier, { - httpOnly: true, - sameSite: "strict", - path: "/", - }) - ); + headers.append("Set-Cookie", this.createVerifierCookie(verifier)); }, req, dataOrCb, @@ -1041,11 +967,7 @@ export class RemixServerAuth extends RemixClientAuth { headers.append( "Set-Cookie", - cookie.serialize(this.options.authCookieName, tokenData.auth_token, { - httpOnly: true, - sameSite: "lax", - path: "/", - }) + this.createAuthCookie(tokenData.auth_token) ); headers.append( @@ -1112,14 +1034,7 @@ export class RemixServerAuth extends RemixClientAuth { ).toString() ); - headers.append( - "Set-Cookie", - cookie.serialize(this.options.pkceVerifierCookieName, verifier, { - httpOnly: true, - sameSite: "strict", - path: "/", - }) - ); + headers.append("Set-Cookie", this.createVerifierCookie(verifier)); }, req, dataOrCb, @@ -1175,14 +1090,7 @@ export class RemixServerAuth extends RemixClientAuth { ).toString() ); - headers.append( - "Set-Cookie", - cookie.serialize(this.options.pkceVerifierCookieName, verifier, { - httpOnly: true, - sameSite: "strict", - path: "/", - }) - ); + headers.append("Set-Cookie", this.createVerifierCookie(verifier)); }, req, dataOrCb, diff --git a/packages/auth-sveltekit/src/server.ts b/packages/auth-sveltekit/src/server.ts index 66f02c33c..aff2167ca 100644 --- a/packages/auth-sveltekit/src/server.ts +++ b/packages/auth-sveltekit/src/server.ts @@ -132,6 +132,26 @@ export class ServerRequestAuth extends ClientAuth { return Auth.checkPasswordResetTokenValid(resetToken); } + private setVerifierCookie(verifier: string) { + const expires = new Date(Date.now() + 1000 * 60 * 24 * 7); // In 7 days + this.cookies.set(this.config.pkceVerifierCookieName, verifier, { + httpOnly: true, + sameSite: "strict", + path: "/", + expires, + }); + } + + private setAuthCookie(authToken: string) { + const expires = Auth.getTokenExpiration(authToken); + this.cookies.set(this.config.authCookieName, authToken, { + httpOnly: true, + sameSite: "strict", + path: "/", + expires: expires ?? undefined, + }); + } + async getProvidersInfo() { return (await this.core).getProvidersInfo(); } @@ -153,20 +173,12 @@ export class ServerRequestAuth extends ClientAuth { `${this.config.authRoute}/emailpassword/verify` ); - this.cookies.set(this.config.pkceVerifierCookieName, result.verifier, { - httpOnly: true, - sameSite: "strict", - path: "/", - }); + this.setVerifierCookie(result.verifier); if (result.status === "complete") { const tokenData = result.tokenData; - this.cookies.set(this.config.authCookieName, tokenData.auth_token, { - httpOnly: true, - sameSite: "strict", - path: "/", - }); + this.setAuthCookie(tokenData.auth_token); return { tokenData }; } @@ -202,11 +214,7 @@ export class ServerRequestAuth extends ClientAuth { `${this.config.authRoute}/emailpassword/verify` ); - this.cookies.set(this.config.pkceVerifierCookieName, verifier, { - httpOnly: true, - sameSite: "strict", - path: "/", - }); + this.setVerifierCookie(verifier); } else { throw new InvalidDataError( "expected 'verification_token' or 'email' in data" @@ -227,11 +235,7 @@ export class ServerRequestAuth extends ClientAuth { await this.core ).signinWithEmailPassword(email, password); - this.cookies.set(this.config.authCookieName, tokenData.auth_token, { - httpOnly: true, - sameSite: "strict", - path: "/", - }); + this.setAuthCookie(tokenData.auth_token); return { tokenData }; } @@ -252,11 +256,7 @@ export class ServerRequestAuth extends ClientAuth { new URL(this.config.passwordResetPath, this.config.baseUrl).toString() ); - this.cookies.set(this.config.pkceVerifierCookieName, verifier, { - httpOnly: true, - sameSite: "strict", - path: "/", - }); + this.setVerifierCookie(verifier); } async emailPasswordResetPassword( @@ -278,11 +278,7 @@ export class ServerRequestAuth extends ClientAuth { await this.core ).resetPasswordWithResetToken(resetToken, verifier, password); - this.cookies.set(this.config.authCookieName, tokenData.auth_token, { - httpOnly: true, - sameSite: "lax", - path: "/", - }); + this.setAuthCookie(tokenData.auth_token); this.cookies.delete(this.config.pkceVerifierCookieName, { path: "/",