Add option to override transaction cookie name

[MatthewBacalakis]

… clients on same protocol and domain.

The key("auth_verification") of the cookie storing nonce/state is problematic in cases where multiple applications share a common protocol and domain. In that case multiple concurrent logins can conflict with the login for one app clearing the auth_verification cookie intended for the other app. I recalled the SPA SDK used to have a similar problem and for this reason clientId was added to the key of the nonce/state storage.

To solve this the same way I've appended .CLIENT_ID to the key of the cookie storing nonce.

[adamjmcgrath]

Thanks for raising this @MatthewBacalakis!

I know spa-js solves it this way, but I'd like to solve this by allowing the user to override the transaction cookie name themselves.

Users can already set a custom session cookie name with session.name, so this would be consistent with the rest of the API. I'd also like to keep the default name the same and offer some flexibility to users that might want to partition these cookies by audience/scope/something else.

We already have transactionCookie config, so it would be a case of adding a name option to it eg.

app.use(auth({ transactionCookie: { name: 'state.client1' } }));
app.use(auth({ transactionCookie: { name: 'state.client2' } }));

[MatthewBacalakis]

Updated this so that the cookie can optionally be given any name instead of appending the client id. If transactionCookie.name is set in config that name is used. If not the current auth_verification name is used.

[adamjmcgrath]

lgtm 👍

Could you also update the type defs https://github.com/auth0/express-openid-connect/blob/master/index.d.ts#L480

Something like

transactionCookie?: Pick<CookieConfigParams, 'sameSite'> & { name?: string };

[adamjmcgrath]

This got released in 2.10.0 - thanks for your contribution @MatthewBacalakis!