auth0 · adamjmcgrath · Jan 31, 2022 · Jan 26, 2022 · Jan 27, 2022 · Jan 28, 2022
@@ -0,0 +1,33 @@
+// This example needs to be run on https, see https://auth0.com/docs/libraries/secure-local-development
+const express = require('express');
+const { auth } = require('../');
+
+const app = express();
+
+app.use(
+  auth({
+    authRequired: false,
+    idpLogout: true,
+    session: {
+      cookie: {
+        sameSite: 'None',
+      },
+    },
+  })
+);
+
+app.get('/', (req, res) => {
+  if (req.oidc.isAuthenticated()) {
+    res.send(`hello ${req.oidc.user.sub}, <a href="/logout">logout</a>`);
+  } else {
+    res.send(`<a href="/login">login</a>`);
+  }
+});
+
+app.get('/iframe', (req, res) => {
+  res.send(`
+  <iframe src="https://localhost" style="width: 100%; height: 100%;"/>
+  `);
+});
+
+module.exports = app;
@@ -127,10 +127,7 @@ module.exports = (config) => {
       );
       for (const cookieName of Object.keys(cookies)) {
         if (cookieName.match(`^${sessionName}(?:\\.\\d)?$`)) {
-          res.clearCookie(cookieName, {
-            domain: cookieOptions.domain,
-            path: cookieOptions.path,
-          });
+          clearCookie(cookieName, res);
         }
       }
     } else {
@@ -160,26 +157,30 @@ module.exports = (config) => {
         }
         if (sessionName in cookies) {
           debug('replacing non chunked cookie with chunked cookies');
-          res.clearCookie(sessionName, {
-            domain: cookieConfig.domain,
-            path: cookieConfig.path,
-          });
+          clearCookie(sessionName, res);
         }
       } else {
         res.cookie(sessionName, value, cookieOptions);
         for (const cookieName of Object.keys(cookies)) {
           debug('replacing chunked cookies with non chunked cookies');
           if (cookieName.match(`^${sessionName}\\.\\d$`)) {
-            res.clearCookie(cookieName, {
-              domain: cookieConfig.domain,
-              path: cookieConfig.path,
-            });
+            clearCookie(cookieName, res);
           }
         }
       }
     }
   }
 
+  function clearCookie(name, res) {
+    const { domain, path, sameSite, secure } = cookieConfig;
+    res.clearCookie(name, {
+      domain,
+      path,
+      sameSite,
+      secure,
+    });
+  }
+
   class CookieStore {
     async get(idOrVal) {
       const { protected: header, cleartext } = decrypt(idOrVal);
@@ -213,7 +214,8 @@ module.exports = (config) => {
     ) {
       const hasPrevSession = !!req[COOKIES][sessionName];
       const replacingPrevSession = !!req[REGENERATED_SESSION_ID];
-      const hasCurrentSession = req[sessionName] && Object.keys(req[sessionName]).length;
+      const hasCurrentSession =
+        req[sessionName] && Object.keys(req[sessionName]).length;
       if (hasPrevSession && (replacingPrevSession || !hasCurrentSession)) {
         await this._destroy(id);
       }
@@ -233,10 +235,7 @@ module.exports = (config) => {
     ) {
       if (!req[sessionName] || !Object.keys(req[sessionName]).length) {
         if (req[COOKIES][sessionName]) {
-          res.clearCookie(sessionName, {
-            domain: cookieConfig.domain,
-            path: cookieConfig.path,
-          });
+          clearCookie(sessionName, res);
         }
       } else {
         const cookieOptions = {
@@ -369,9 +368,7 @@ module.exports = (config) => {
         }
       };
     } else {
-      onHeaders(res, () =>
-        store.setCookie(req, res, { iat })
-      );
+      onHeaders(res, () => store.setCookie(req, res, { iat }));
     }
 
     return next();

@@ -136,8 +136,10 @@ class TransientCookieHandler {
       return undefined;
     }
 
+    const { secure, sameSite } = this.sessionCookieConfig;
+
     let value = getCookieValue(key, req[COOKIES][key], this.keyStore);
-    this.deleteCookie(key, res);
+    this.deleteCookie(key, res, { secure, sameSite });
 
     if (this.legacySameSiteCookie) {
       const fallbackKey = `_${key}`;
@@ -188,12 +190,16 @@ class TransientCookieHandler {
    *
    * @param {String} name Cookie name
    * @param {Object} res Express Response object
+   * @param {Object?} opts Optional SameSite and Secure cookie options for modern browsers
    */
-  deleteCookie(name, res) {
+  deleteCookie(name, res, opts = {}) {
     const { domain, path } = this.sessionCookieConfig;
+    const { sameSite, secure } = opts;
     res.clearCookie(name, {
       domain,
       path,
+      sameSite,
+      secure,
     });
   }
 }

@@ -8,7 +8,7 @@ const cancelSilentLogin = (req, res) => {
   const {
     config: {
       session: {
-        cookie: { secure, domain, path },
+        cookie: { secure, domain, path, sameSite },
       },
     },
   } = weakRef(req.oidc);
@@ -17,21 +17,24 @@ const cancelSilentLogin = (req, res) => {
     secure,
     domain,
     path,
+    sameSite,
   });
 };
 
 const resumeSilentLogin = (req, res) => {
   const {
     config: {
       session: {
-        cookie: { domain, path },
+        cookie: { domain, path, sameSite, secure },
       },
     },
   } = weakRef(req.oidc);
   res.clearCookie(COOKIE_NAME, {
     httpOnly: true,
     domain,
     path,
+    sameSite,
+    secure,
   });
 };
 

@@ -1,4 +1,5 @@
 const { URL } = require('url');
+const sinon = require('sinon');
 const { assert } = require('chai');
 const { create: createServer } = require('./fixture/server');
 const { makeIdToken } = require('./fixture/cert');
@@ -8,6 +9,11 @@ const request = require('request-promise-native').defaults({
   resolveWithFullResponse: true,
   followRedirect: false,
 });
+const weakRef = require('../lib/weakCache.js');
+const {
+  cancelSilentLogin,
+  resumeSilentLogin,
+} = require('../middleware/attemptSilentLogin');
 
 const baseUrl = 'http://localhost:3000';
 
@@ -158,4 +164,29 @@ describe('attemptSilentLogin', () => {
       'req.oidc is not found, did you include the auth middleware?'
     );
   });
+
+  it('should honor SameSite config for use in iframes', async () => {
+    const ctx = {};
+    const oidc = weakRef(ctx);
+    oidc.config = {
+      session: {
+        cookie: {
+          sameSite: 'None',
+          secure: true,
+        },
+      },
+    };
+    const resumeSpy = sinon.spy();
+    const cancelSpy = sinon.spy();
+    resumeSilentLogin({ oidc: ctx }, { clearCookie: resumeSpy });
+    cancelSilentLogin({ oidc: ctx }, { cookie: cancelSpy });
+    sinon.assert.calledWithMatch(resumeSpy, 'skipSilentLogin', {
+      sameSite: 'None',
+      secure: true,
+    });
+    sinon.assert.calledWithMatch(cancelSpy, 'skipSilentLogin', true, {
+      sameSite: 'None',
+      secure: true,
+    });
+  });
 });
@@ -137,6 +137,32 @@ describe('transientHandler', function () {
       sinon.assert.calledWith(res.clearCookie, '_test_key');
     });
 
+    it('should delete both cookies with a secure iframe config', function () {
+      const transientHandlerHttpsIframe = new TransientCookieHandler({
+        secret,
+        session: { cookie: { secure: true, sameSite: 'None' } },
+        legacySameSiteCookie: true,
+      });
+      const signature = generateSignature('test_key', 'foo');
+      const cookies = {
+        test_key: `foo.${signature}`,
+        _test_key: `foo.${signature}`,
+      };
+      const req = reqWithCookies(cookies);
+      const value = transientHandlerHttpsIframe.getOnce('test_key', req, res);
+
+      assert.equal(value, 'foo');
+
+      sinon.assert.calledWithMatch(res.clearCookie, 'test_key', {
+        sameSite: 'None',
+        secure: true,
+      });
+      sinon.assert.calledWithMatch(res.clearCookie, '_test_key', {
+        sameSite: undefined,
+        secure: undefined,
+      });
+    });
+
     it('should return fallback value and delete both cookies if main value not present', function () {
       const cookies = {
         _test_key: `foo.${generateSignature('_test_key', 'foo')}`,