From 8a417533f68a5b85211cf1ebb658fd0b0594de8d Mon Sep 17 00:00:00 2001 From: Siddharth Suresh Date: Sat, 17 Feb 2024 05:04:36 +0530 Subject: [PATCH] feat: remove restriction to use secure cookies in localhost (#4300) * feat: remove restriction to use secure cookies in localhost * changeset * pnpm lock fix * Update .changeset/grumpy-deers-rest.md * Update .changeset/grumpy-deers-rest.md --------- Co-authored-by: kodiakhq[bot] <49736102+kodiakhq[bot]@users.noreply.github.com> --- .changeset/grumpy-deers-rest.md | 5 ++++ .../blitz-auth/src/server/auth-sessions.ts | 30 +++++++------------ 2 files changed, 15 insertions(+), 20 deletions(-) create mode 100644 .changeset/grumpy-deers-rest.md diff --git a/.changeset/grumpy-deers-rest.md b/.changeset/grumpy-deers-rest.md new file mode 100644 index 0000000000..4fc9e1735e --- /dev/null +++ b/.changeset/grumpy-deers-rest.md @@ -0,0 +1,5 @@ +--- +"@blitzjs/auth": patch +--- + +fix: remove restriction to use `secure` cookies in localhost / during development following spec in [developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies) diff --git a/packages/blitz-auth/src/server/auth-sessions.ts b/packages/blitz-auth/src/server/auth-sessions.ts index 37a81634cf..b067b024c6 100644 --- a/packages/blitz-auth/src/server/auth-sessions.ts +++ b/packages/blitz-auth/src/server/auth-sessions.ts @@ -43,7 +43,7 @@ import {Socket} from "net" import {UrlObject} from "url" import {formatWithValidation} from "../shared/url-utils" -export function isLocalhost(req: any): boolean { +export function isLocalhost(req: IncomingMessage): boolean { let {host} = req.headers let localhost = false if (host) { @@ -575,18 +575,13 @@ const setHeader = (res: ServerResponse, name: string, value: string) => { } } -const setSessionCookie = ( - req: IncomingMessage, - res: ServerResponse, - sessionToken: string, - expiresAt: Date, -) => { +const setSessionCookie = (res: ServerResponse, sessionToken: string, expiresAt: Date) => { setCookie( res, cookie.serialize(COOKIE_SESSION_TOKEN(), sessionToken, { path: "/", httpOnly: true, - secure: global.sessionConfig.secureCookies && !isLocalhost(req), + secure: global.sessionConfig.secureCookies, sameSite: global.sessionConfig.sameSite, domain: global.sessionConfig.domain, expires: expiresAt, @@ -594,18 +589,13 @@ const setSessionCookie = ( ) } -const setAnonymousSessionCookie = ( - req: IncomingMessage, - res: ServerResponse, - token: string, - expiresAt: Date, -) => { +const setAnonymousSessionCookie = (res: ServerResponse, token: string, expiresAt: Date) => { setCookie( res, cookie.serialize(COOKIE_ANONYMOUS_SESSION_TOKEN(), token, { path: "/", httpOnly: true, - secure: global.sessionConfig.secureCookies && !isLocalhost(req), + secure: global.sessionConfig.secureCookies, sameSite: global.sessionConfig.sameSite, domain: global.sessionConfig.domain, expires: expiresAt, @@ -847,11 +837,11 @@ async function createNewSession( new Date(), global.sessionConfig.anonSessionExpiryMinutes as number, ) - setAnonymousSessionCookie(req, res, anonymousSessionToken, expiresAt) + setAnonymousSessionCookie(res, anonymousSessionToken, expiresAt) setCSRFCookie(req, res, antiCSRFToken, expiresAt) setPublicDataCookie(req, res, publicDataToken, expiresAt) // Clear the essential session cookie in case it was previously set - setSessionCookie(req, res, "", new Date(0)) + setSessionCookie(res, "", new Date(0)) setHeader(res, HEADER_SESSION_CREATED, "true") return { @@ -903,11 +893,11 @@ async function createNewSession( privateData: JSON.stringify(newPrivateData), }) - setSessionCookie(req, res, sessionToken, expiresAt) + setSessionCookie(res, sessionToken, expiresAt) setCSRFCookie(req, res, antiCSRFToken, expiresAt) setPublicDataCookie(req, res, publicDataToken, expiresAt) // Clear the anonymous session cookie in case it was previously set - setAnonymousSessionCookie(req, res, "", new Date(0)) + setAnonymousSessionCookie(res, "", new Date(0)) setHeader(res, HEADER_SESSION_CREATED, "true") return { @@ -955,7 +945,7 @@ async function refreshSession( const publicDataToken = createPublicDataToken(sessionKernel.publicData) const expiresAt = addYears(new Date(), 30) - setAnonymousSessionCookie(req, res, anonymousSessionToken, expiresAt) + setAnonymousSessionCookie(res, anonymousSessionToken, expiresAt) setPublicDataCookie(req, res, publicDataToken, expiresAt) } else if (global.sessionConfig.method === "essential" && "sessionToken" in sessionKernel) { const expiresAt = addMinutes(new Date(), global.sessionConfig.sessionExpiryMinutes as number)