Skip to content

Commit

Permalink
Set cookies to Secure when base URL is https (#938)
Browse files Browse the repository at this point in the history
  • Loading branch information
@scotttrinh
scotttrinh authored May 2, 2024
1 parent ab988ea commit 4ad5d30
Show file tree
Hide file tree
Showing 3 changed files with 48 additions and 159 deletions.
49 changes: 7 additions & 42 deletions packages/auth-nextjs/src/app/index.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,12 +51,7 @@ export class NextAppAuth extends NextAuth {
const tokenData = await (
await this.core
).signinWithEmailPassword(email, password);
cookies().set({
name: this.options.authCookieName,
value: tokenData.auth_token,
httpOnly: true,
sameSite: "strict",
});
this.setSessionCookie(tokenData.auth_token);
return tokenData;
},
emailPasswordSignUp: async (
Expand All @@ -74,19 +69,9 @@ export class NextAppAuth extends NextAuth {
password,
`${this._authRoute}/emailpassword/verify`
);
cookies().set({
name: this.options.pkceVerifierCookieName,
value: result.verifier,
httpOnly: true,
sameSite: "strict",
});
this.setVerifierCookie(result.verifier);
if (result.status === "complete") {
cookies().set({
name: this.options.authCookieName,
value: result.tokenData.auth_token,
httpOnly: true,
sameSite: "strict",
});
this.setSessionCookie(result.tokenData.auth_token);
return result.tokenData;
}
return null;
Expand All @@ -109,12 +94,7 @@ export class NextAppAuth extends NextAuth {
this.options.baseUrl
).toString()
);
cookies().set({
name: this.options.pkceVerifierCookieName,
value: verifier,
httpOnly: true,
sameSite: "strict",
});
this.setVerifierCookie(verifier);
},
emailPasswordResetPassword: async (
data: FormData | { reset_token: string; password: string }
Expand All @@ -133,12 +113,7 @@ export class NextAppAuth extends NextAuth {
const tokenData = await (
await this.core
).resetPasswordWithResetToken(resetToken, verifier, password);
cookies().set({
name: this.options.authCookieName,
value: tokenData.auth_token,
httpOnly: true,
sameSite: "strict",
});
this.setSessionCookie(tokenData.auth_token);
cookies().delete(this.options.pkceVerifierCookieName);
return tokenData;
},
Expand Down Expand Up @@ -199,12 +174,7 @@ export class NextAppAuth extends NextAuth {
this.options.baseUrl
).toString()
);
cookies().set({
name: this.options.pkceVerifierCookieName,
value: verifier,
httpOnly: true,
sameSite: "strict",
});
this.setVerifierCookie(verifier);
},
magicLinkSignIn: async (data: FormData | { email: string }) => {
if (!this.options.magicLinkFailurePath) {
Expand All @@ -223,12 +193,7 @@ export class NextAppAuth extends NextAuth {
this.options.baseUrl
).toString()
);
cookies().set({
name: this.options.pkceVerifierCookieName,
value: verifier,
httpOnly: true,
sameSite: "strict",
});
this.setVerifierCookie(verifier);
},
};
}
Expand Down
2 changes: 2 additions & 0 deletions packages/auth-nextjs/src/shared.client.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ export abstract class NextAuthHelpers {
readonly options: Required<Omit<NextAuthOptions, OptionalOptions>> &
Pick<NextAuthOptions, OptionalOptions>;
readonly webAuthnClient: WebAuthnClient;
readonly isSecure: boolean;

/** @internal */
constructor(options: NextAuthOptions) {
Expand All @@ -45,6 +46,7 @@ export abstract class NextAuthHelpers {
signinUrl: `${this._authRoute}/webauthn/signin`,
verifyUrl: `${this._authRoute}/webauthn/verify`,
});
this.isSecure = this.options.baseUrl.startsWith("https");
}

protected get _authRoute() {
Expand Down
156 changes: 39 additions & 117 deletions packages/auth-nextjs/src/shared.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,28 @@ export abstract class NextAuth extends NextAuthHelpers {
return Auth.checkPasswordResetTokenValid(resetToken);
}

setVerifierCookie(verifier: string) {
cookies().set({
name: this.options.pkceVerifierCookieName,
value: verifier,
httpOnly: true,
path: "/",
sameSite: "strict",
secure: this.isSecure,
});
}

setSessionCookie(token: string) {
cookies().set({
name: this.options.authCookieName,
value: token,
httpOnly: true,
sameSite: "strict",
path: "/",
secure: this.isSecure,
});
}

createAuthRouteHandlers({
onOAuthCallback,
onEmailPasswordSignIn,
Expand Down Expand Up @@ -144,12 +166,7 @@ export abstract class NextAuth extends NextAuthHelpers {
const pkceSession = await this.core.then((core) =>
core.createPKCESession()
);
cookies().set({
name: this.options.pkceVerifierCookieName,
value: pkceSession.verifier,
httpOnly: true,
path: "/",
});
this.setVerifierCookie(pkceSession.verifier);
return redirect(
pkceSession.getOAuthUrl(
provider,
Expand Down Expand Up @@ -209,13 +226,7 @@ export abstract class NextAuth extends NextAuthHelpers {
req
);
}
cookies().set({
name: this.options.authCookieName,
value: tokenData.auth_token,
httpOnly: true,
sameSite: "lax",
path: "/",
});
this.setSessionCookie(tokenData.auth_token);
cookies().delete(this.options.pkceVerifierCookieName);

return onOAuthCallback(
Expand Down Expand Up @@ -272,13 +283,7 @@ export abstract class NextAuth extends NextAuthHelpers {
req
);
}
cookies().set({
name: this.options.authCookieName,
value: tokenData.auth_token,
httpOnly: true,
sameSite: "strict",
path: "/",
});
this.setSessionCookie(tokenData.auth_token);
cookies().delete(this.options.pkceVerifierCookieName);

return onEmailVerify({ error: null, tokenData }, req);
Expand Down Expand Up @@ -347,13 +352,7 @@ export abstract class NextAuth extends NextAuthHelpers {
req
);
}
cookies().set({
name: this.options.authCookieName,
value: tokenData.auth_token,
httpOnly: true,
sameSite: "strict",
path: "/",
});
this.setSessionCookie(tokenData.auth_token);
cookies().delete(this.options.pkceVerifierCookieName);

return onEmailVerify({ error: null, tokenData }, req);
Expand Down Expand Up @@ -409,13 +408,7 @@ export abstract class NextAuth extends NextAuthHelpers {
req
);
}
cookies().set({
name: this.options.authCookieName,
value: tokenData.auth_token,
httpOnly: true,
sameSite: "lax",
path: "/",
});
this.setSessionCookie(tokenData.auth_token);
cookies().delete(this.options.pkceVerifierCookieName);

return onMagicLinkCallback(
Expand Down Expand Up @@ -491,13 +484,7 @@ export abstract class NextAuth extends NextAuthHelpers {
req
);
}
cookies().set({
name: this.options.authCookieName,
value: tokenData.auth_token,
httpOnly: true,
sameSite: "lax",
path: "/",
});
this.setSessionCookie(tokenData.auth_token);
cookies().delete(this.options.pkceVerifierCookieName);

return onBuiltinUICallback(
Expand All @@ -517,12 +504,7 @@ export abstract class NextAuth extends NextAuthHelpers {
const pkceSession = await this.core.then((core) =>
core.createPKCESession()
);
cookies().set({
name: this.options.pkceVerifierCookieName,
value: pkceSession.verifier,
httpOnly: true,
path: "/",
});
this.setVerifierCookie(pkceSession.verifier);
return redirect(
params.auth[params.auth.length - 1] === "signup"
? pkceSession.getHostedUISignupUrl()
Expand Down Expand Up @@ -573,13 +555,7 @@ export abstract class NextAuth extends NextAuthHelpers {
? _wrapResponse(onEmailPasswordSignIn({ error }, req), isAction)
: Response.json(_wrapError(error));
}
cookies().set({
name: this.options.authCookieName,
value: tokenData.auth_token,
httpOnly: true,
sameSite: "strict",
path: "/",
});
this.setSessionCookie(tokenData.auth_token);
return _wrapResponse(
onEmailPasswordSignIn?.({ error: null, tokenData }, req),
isAction
Expand Down Expand Up @@ -615,21 +591,9 @@ export abstract class NextAuth extends NextAuthHelpers {
? _wrapResponse(onEmailPasswordSignUp({ error }, req), isAction)
: Response.json(_wrapError(error));
}
cookies().set({
name: this.options.pkceVerifierCookieName,
value: result.verifier,
httpOnly: true,
sameSite: "strict",
path: "/",
});
this.setVerifierCookie(result.verifier);
if (result.status === "complete") {
cookies().set({
name: this.options.authCookieName,
value: result.tokenData.auth_token,
httpOnly: true,
sameSite: "strict",
path: "/",
});
this.setSessionCookie(result.tokenData.auth_token);
return _wrapResponse(
onEmailPasswordSignUp?.(
{
Expand Down Expand Up @@ -669,13 +633,7 @@ export abstract class NextAuth extends NextAuthHelpers {
this.options.baseUrl
).toString()
);
cookies().set({
name: this.options.pkceVerifierCookieName,
value: verifier,
httpOnly: true,
sameSite: "strict",
path: "/",
});
this.setVerifierCookie(verifier);
return isAction
? Response.json({ _data: null })
: new Response(null, { status: 204 });
Expand Down Expand Up @@ -711,13 +669,7 @@ export abstract class NextAuth extends NextAuthHelpers {
? _wrapResponse(onEmailPasswordReset({ error }, req), isAction)
: Response.json(_wrapError(error));
}
cookies().set({
name: this.options.authCookieName,
value: tokenData.auth_token,
httpOnly: true,
sameSite: "strict",
path: "/",
});
this.setSessionCookie(tokenData.auth_token);
cookies().delete(this.options.pkceVerifierCookieName);
return _wrapResponse(
onEmailPasswordReset?.({ error: null, tokenData }, req),
Expand Down Expand Up @@ -786,21 +738,9 @@ export abstract class NextAuth extends NextAuthHelpers {
return _wrapResponse(onWebAuthnSignUp({ error }, req), false);
}

cookies().set({
name: this.options.pkceVerifierCookieName,
value: result.verifier,
httpOnly: true,
sameSite: "strict",
path: "/",
});
this.setVerifierCookie(result.verifier);
if (result.status === "complete") {
cookies().set({
name: this.options.authCookieName,
value: result.tokenData.auth_token,
httpOnly: true,
sameSite: "strict",
path: "/",
});
this.setSessionCookie(result.tokenData.auth_token);
return _wrapResponse(
onWebAuthnSignUp(
{
Expand Down Expand Up @@ -835,13 +775,7 @@ export abstract class NextAuth extends NextAuthHelpers {
const error = err instanceof Error ? err : new Error(String(err));
return _wrapResponse(onWebAuthnSignIn({ error }, req), false);
}
cookies().set({
name: this.options.authCookieName,
value: tokenData.auth_token,
httpOnly: true,
sameSite: "strict",
path: "/",
});
this.setSessionCookie(tokenData.auth_token);
return _wrapResponse(
onWebAuthnSignIn({ error: null, tokenData }, req),
false
Expand Down Expand Up @@ -870,13 +804,7 @@ export abstract class NextAuth extends NextAuthHelpers {
this.options.baseUrl
).toString()
);
cookies().set({
name: this.options.pkceVerifierCookieName,
value: verifier,
httpOnly: true,
sameSite: "strict",
path: "/",
});
this.setVerifierCookie(verifier);
return isAction
? Response.json({ _data: null })
: new Response(null, { status: 204 });
Expand Down Expand Up @@ -904,13 +832,7 @@ export abstract class NextAuth extends NextAuthHelpers {
this.options.baseUrl
).toString()
);
cookies().set({
name: this.options.pkceVerifierCookieName,
value: verifier,
httpOnly: true,
sameSite: "strict",
path: "/",
});
this.setVerifierCookie(verifier);
return isAction
? Response.json({ _data: null })
: new Response(null, { status: 204 });
Expand Down

0 comments on commit 4ad5d30

Please sign in to comment.