fix(adapter-nextjs): wrong cookie attributes get set sometimes #14169
Conversation
HuiSF
requested review from
sktimalsina,
cshfang and
pranavosu
as code owners
When server-side auth is enabled, only acessToken, idToken, refreshToken and LastAuthUser cookies are set in cookie store. When calling Amplify APIs with runWithAmplifyServerContext then tokens need to be refreshed, the underlying tokenStore interface sets extra cookies for the original client-side use cases which is NOT ideal.
HuiSF
changed the title
| isServerSideAuthEnabled() { | ||
| return isServerSideAuthEnabled; | ||
| }, | ||
| enableServerSideAuth() { |
There was a problem hiding this comment.
I suspect the answer is no but is there a world where someone would want to freely flip this back and forth?
| let isSSLOrigin = false; | ||
|
|
||
| export const globalSettings: NextServer.GlobalSettings = { | ||
| isServerSideAuthEnabled() { |
There was a problem hiding this comment.
Super nit: Group setters together and getters together, or keep them in the same order i.e. setter first then getter. Just to aid readability
|
|
||
| const mergedSetCookieOptions = { | ||
| // default options when not specified | ||
| ...DEFAULT_SERVER_SIDE_AUTH_SET_COOKIE_OPTIONS, |
There was a problem hiding this comment.
I think I'm a little thrown off by the naming - these are default setCookie options for server side auth - but it doesn't require isServerSideAuthEnabled to be true?
|
|
||
| import { ensureEncodedForJSCookie, serializeCookie } from './cookie'; | ||
|
|
||
| export const DATE_IN_THE_PAST = new Date(0); | ||
|
|
||
| export const createCookieStorageAdapterFromNextServerContext = async ( | ||
| context: NextServer.Context, | ||
| ignoreNonServerSideCookies = false, |
There was a problem hiding this comment.
What kinds of cookies qualify as "non-server-side"?
| if (ignoreNonServerSideCookies && isServerSideAuthIgnoredCookie(name)) { | ||
| return; | ||
| } |
There was a problem hiding this comment.
Nit: Does this need to be in the try? Ditto below
| isServerSideAuthEnabled(): boolean; | ||
| enableServerSideAuth(): void; |
There was a problem hiding this comment.
Super nit: Switch so each grouping has setter first then getter just for ease of understanding
| @@ -35,6 +36,15 @@ export const createServerRunner: NextServer.CreateServerRunner = ({ | |||
| const amplifyConfig = parseAmplifyConfig(config); | |||
| const amplifyAppOrigin = process.env.AMPLIFY_APP_ORIGIN; | |||
|
|
|||
| globalSettings.setRuntimeOptions(runtimeOptions || {}); | |||
There was a problem hiding this comment.
Can runtimeOptions be falsy in a way that ?? wouldn't work?
| @@ -35,6 +36,15 @@ export const createServerRunner: NextServer.CreateServerRunner = ({ | |||
| const amplifyConfig = parseAmplifyConfig(config); | |||
| const amplifyAppOrigin = process.env.AMPLIFY_APP_ORIGIN; | |||
|
|
|||
| globalSettings.setRuntimeOptions(runtimeOptions || {}); | |||
|
|
|||
| if (amplifyAppOrigin !== undefined && isValidOrigin(amplifyAppOrigin)) { | |||
There was a problem hiding this comment.
Nit: Would undefined ever be a valid origin? Or can isValidOrigin just encapsulate that guard/check?
There was a problem hiding this comment.
+1 it seems as though isValidOrigin could be adapted to handle an undefined input.
| if (amplifyAppOrigin !== undefined && isValidOrigin(amplifyAppOrigin)) { | ||
| globalSettings.setIsSSLOrigin(isSSLOrigin(amplifyAppOrigin)); | ||
|
|
||
| // update the serverSideAuthEnabled flag that exists in the closure of createServerRunner() to true |
There was a problem hiding this comment.
Is this flag still only in the createServerRunner closure?
| @@ -79,3 +82,8 @@ export const createTokenCookiesRemoveOptions = ( | |||
| path: '/', | |||
| maxAge: REMOVE_COOKIE_MAX_AGE, // Expire immediately (remove the cookie) | |||
| }); | |||
|
|
|||
| export const isServerSideAuthIgnoredCookie = (cookieName: string) => | |||
There was a problem hiding this comment.
Nit: Would it be more intuitive for this to be server side auth allowed cookie given that that's the list we have? This might be invalidated by a different comment I have below about possibly consolidating the function purpose
| ), | ||
| tokenValidator, | ||
| setCookieOptions, | ||
| mergedSetCookieOptions, |
There was a problem hiding this comment.
Nit: It's getting kind of difficult to track what the default set cookie options will be when server side auth is enabled vs disabled. We have defaults in the cookie storage adaptor and here in the runWithAmplifyServerContext factory. Is there a way we can unify or clarify this?
| @@ -35,6 +36,15 @@ export const createServerRunner: NextServer.CreateServerRunner = ({ | |||
| const amplifyConfig = parseAmplifyConfig(config); | |||
| const amplifyAppOrigin = process.env.AMPLIFY_APP_ORIGIN; | |||
|
|
|||
| globalSettings.setRuntimeOptions(runtimeOptions || {}); | |||
|
|
|||
| if (amplifyAppOrigin !== undefined && isValidOrigin(amplifyAppOrigin)) { | |||
There was a problem hiding this comment.
+1 it seems as though isValidOrigin could be adapted to handle an undefined input.
Description of changes
Change 1
Create a global context store on the server start (when
createServerRunnergets called) for separated processes (therunWithAmplifyServerContext, and therunWithAmplifyServerContextused by the data server-side client factories) of the library, so they can look up flags and configurations as the following:isServerSideAuthEnabled(determined by whether theAMPLIFY_APP_ORIGINenv var is set as it's the prerequisite of enabling server-side auth)isSSLOrigin(determined by whetherAMPLIFY_APP_ORIGINcontains a https non localhost origin)runtimeOptions(theruntimeOptionsobject passed in when callingcreateServerRunner)At runtime, when some Amplify APIs are called within a closure created by a
runWithAmplifyServerContext,globalRuntimeContextis used to retrieve relevant information from the above.For example: when server side is enabled,
runtimeOptions.cookiesis always merged with{ httpOnly: true }to enforce the token cookies are HTTP only.Change 2
Instruct the cookie adapters created from Next.js server context that when server-side auth is enabled, when Amplify tokenStore interface attempts to set extra cookies, the adapters should ignore these cookies. (tradeoff of reusing the preexisting token store interface)
Issue #, if available
Description of how you validated changes
Checklist
yarn testpassesChecklist for repo maintainers
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.