fix(Auth): login/logout loop. The issue was coming from a wrong sessi…

…on set with an old refresh token already used by the auth API (so the API was responding with a no record found). The frontend was logout for security purposes (indeed the token was not fresh and compliant anymore). Signed-off-by: reslene <reslene@numary.com>
formancehq · Apr 26, 2023 · a83c390 · a83c390
1 parent fb3276e
commit a83c390
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 21 deletions.
diff --git a/app/routes/auth/logout.ts b/app/routes/auth/logout.ts
@@ -9,7 +9,6 @@ export const loader: LoaderFunction = async ({ request }): Promise<any> => {
   return redirect('/', {
     headers: {
       'Set-Cookie': await destroySession(session),
-      'Clear-SiteData': 'cache',
     },
   });
 };
diff --git a/app/routes/auth/refresh.ts b/app/routes/auth/refresh.ts
@@ -16,7 +16,6 @@ import {
 export const loader: LoaderFunction = async ({ request }) => {
   const session = await getSession(request.headers.get('Cookie'));
   const sessionHolder: Authentication = parseSessionHolder(session);
-
   const authentication = await getOpenIdConfig().then((config) =>
     refreshToken(config, sessionHolder.refresh_token)
   );

diff --git a/app/src/utils/auth.server.ts b/app/src/utils/auth.server.ts
@@ -1,6 +1,11 @@
 import crypto from 'crypto';
 
-import { createCookieSessionStorage, json, Session } from '@remix-run/node';
+import {
+  createCookie,
+  createCookieSessionStorage,
+  json,
+  Session,
+} from '@remix-run/node';
 import { TypedResponse } from '@remix-run/server-runtime';
 
 import { ObjectOf } from '~/src/types/generic';
@@ -12,7 +17,7 @@ import {
   SessionWrapper,
 } from '~/src/utils/api';
 
-export const COOKIE_NAME = 'auth_session';
+export const COOKIE_NAME = '__session';
 export const AUTH_CALLBACK_ROUTE = '/auth/login';
 export const REDIRECT_URI = process.env.REDIRECT_URI;
 
@@ -30,15 +35,15 @@ const unsecureCookies =
 if (unsecureCookies) {
   console.info('Load session storage with unsecure cookies');
 }
+
 export const sessionStorage = createCookieSessionStorage({
-  cookie: {
-    name: COOKIE_NAME, // use any name you want here
+  cookie: createCookie(COOKIE_NAME, {
     sameSite: 'lax', // this helps with CSRF
     path: '/', // remember to add this so the cookie will work in all routes
     httpOnly: !unsecureCookies, // for security reasons, make this cookie http only
     secrets: [process.env.CLIENT_SECRET || 'secret'], // replace this with an actual secret
     secure: !unsecureCookies,
-  },
+  }),
 });
 
 export const encrypt = (payload: Authentication): string => {
@@ -148,29 +153,16 @@ export const introspect = async (
 
 export const handleResponse = async (
   data: SessionWrapper
-): Promise<TypedResponse<any>> =>
-  json(data.callbackResult, {
-    headers: data.cookieValue
-      ? {
-          'Set-Cookie': data.cookieValue,
-        }
-      : {},
-  });
+): Promise<TypedResponse<any>> => json(data.callbackResult);
 
 export const withSession = async (
   request: Request,
   callback: (session: Session) => any
 ): Promise<SessionWrapper> => {
   const session = await getSession(request.headers.get('Cookie'));
   const c = await callback(session);
-  const commitSession = await sessionStorage.commitSession(session);
-  const commitSessionCookieValue = commitSession.split(';')[0];
 
   return {
-    cookieValue:
-      request.headers.get('Cookie') != commitSessionCookieValue
-        ? commitSession
-        : undefined,
     callbackResult: c,
   };
 };