[SDK-2155] Default cookie.secure config to the protocol of baseURL #159

adamjmcgrath · 2020-11-12T16:00:28Z

Description

Default the cookie.secure config to the protocol of the baseUrl config - rather than defaulting it to the protocol of the req.url (which relies on the developer to set trust proxy when behind a proxy)

And a couple of other things that should improve the DX around this setting:

if you override cookie.secure to true and baseUrl is http - throw an error, because this will not work (your secure cookies won't be read over http)
if you override cookie.secure to false and baseUrl is https - warn the user that the cookie will not be set with the Secure attribute
If baseUrl is http and response_mode is form_post - warn the use that this will only work for <2min logins (have also added an FAQ for this)

References

Chrome 2 min exception for Lax+POST https://www.chromium.org/updates/same-site
fixes #145

Testing

This change adds test coverage for new/changed/fixed functionality

Checklist

I have added documentation for new/changed functionality in this PR or in auth0.com/docs
All active GitHub checks for tests, formatting, and security are passing
The correct base branch is being used, if not master

…onfig

panva

LGTM, i'm leaving some text suggestions.

FAQ.md

lib/config.js

test/config.tests.js

Co-authored-by: Filip Skokan <panva.ip@gmail.com>

adamjmcgrath added 2 commits November 12, 2020 15:35

Default the cookie.secure config to the protocol of the baseUrl c…

2ea1bf4

…onfig

Update FAQ

477bf25

adamjmcgrath requested a review from a team as a code owner November 12, 2020 16:00

adamjmcgrath requested review from panva and lzychowski November 12, 2020 16:49

adamjmcgrath added the review:medium Medium review label Nov 12, 2020

adamjmcgrath added 2 commits November 12, 2020 21:54

Merge branch 'master' into baseurl-cookie

8cdcde8

Merge branch 'master' into baseurl-cookie

9863fe5

panva reviewed Dec 2, 2020

View reviewed changes

Apply suggestions from code review

0d3a956

Co-authored-by: Filip Skokan <panva.ip@gmail.com>

adamjmcgrath requested a review from panva December 3, 2020 17:44

panva approved these changes Dec 3, 2020

View reviewed changes

adamjmcgrath merged commit df1d82b into master Dec 7, 2020

adamjmcgrath deleted the baseurl-cookie branch December 7, 2020 13:33

adamjmcgrath added a commit to auth0/nextjs-auth0 that referenced this pull request Dec 8, 2020

Update new secure cookie behaviour form auth0/express-openid-connect#159

86ff385

davidpatrick added the CH: Changed label Dec 14, 2020

Widcket mentioned this pull request Feb 5, 2021

beta auth0/nextjs-auth0#275

Closed

FPiety0521 pushed a commit to FPiety0521/Auth0-Next.js-SDK that referenced this pull request Apr 28, 2023

Update new secure cookie behaviour form auth0/express-openid-connect#159

d66fbfc

redsky030428 added a commit to redsky030428/autho_next.js that referenced this pull request May 13, 2024

Update new secure cookie behaviour form auth0/express-openid-connect#159

0c56b89

luckyshinystar7 pushed a commit to luckyshinystar7/nextjs-crysdyazandco that referenced this pull request Aug 5, 2024

Update new secure cookie behaviour form auth0/express-openid-connect#159

c70fa4c

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[SDK-2155] Default cookie.secure config to the protocol of baseURL #159

[SDK-2155] Default cookie.secure config to the protocol of baseURL #159

adamjmcgrath commented Nov 12, 2020 •

edited

Loading

panva left a comment

[SDK-2155] Default cookie.secure config to the protocol of baseURL #159

[SDK-2155] Default cookie.secure config to the protocol of baseURL #159

Conversation

adamjmcgrath commented Nov 12, 2020 • edited Loading

Description

References

Testing

Checklist

panva left a comment

Choose a reason for hiding this comment

adamjmcgrath commented Nov 12, 2020 •

edited

Loading