From fee0ba821618f54e49a3d13692874d94b141653e Mon Sep 17 00:00:00 2001 From: Jonathan Wu <53251695+jonowu@users.noreply.github.com> Date: Sat, 22 May 2021 21:13:57 +1000 Subject: [PATCH 1/3] Add sameSite option to sessions --- .changeset/shiny-drinks-camp.md | 6 ++++++ docs/pages/apis/session.mdx | 5 ++++- packages-next/keystone/src/session/index.ts | 11 +++++++++-- 3 files changed, 19 insertions(+), 3 deletions(-) create mode 100644 .changeset/shiny-drinks-camp.md diff --git a/.changeset/shiny-drinks-camp.md b/.changeset/shiny-drinks-camp.md new file mode 100644 index 00000000000..476ee53ac15 --- /dev/null +++ b/.changeset/shiny-drinks-camp.md @@ -0,0 +1,6 @@ +--- +'@keystone-next/website': minor +'@keystone-next/keystone': minor +--- + +Added `sameSite` option to session options for cookies diff --git a/docs/pages/apis/session.mdx b/docs/pages/apis/session.mdx index 37d05d11b32..087568c3dfe 100644 --- a/docs/pages/apis/session.mdx +++ b/docs/pages/apis/session.mdx @@ -19,6 +19,7 @@ export default config({ secure: true, path: '/', domain: 'localhost', + sameSite: 'lax', }), { User: 'name isAdmin' } ), @@ -63,8 +64,10 @@ Options For Firefox, the `https:` requirements are ignored when the `secure` attribute is set by localhost (since Firefox 75). - `path` (default: `'/'`): A path that must exist in the requested URL, or the browser won't send the cookie header. The forward slash (`/`) character is interpreted as a directory separator, and subdirectories will be matched as well: for `path: '/docs'`, `/docs`, `/docs/Web/`, and `/docs/Web/HTTP` will all match. -- `domain` (default: current document URL): Host to which the cookie will be sent. See [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#attributes) for more details on the `domain` cookie attribute.. +- `domain` (default: current document URL): Host to which the cookie will be sent. See [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#attributes) for more details on the `domain` cookie attribute. **Note**: Only one domain is allowed. If a domain is specified then subdomains are always included. +- `sameSite` (default: `'lax'`): Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks. See [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#attributes) for more details on the `sameSite` cookie attribute, including the inline options. + **Note**: The `secure` attribute must also be set when `sameSite` is set to `none`! ### Session stores diff --git a/packages-next/keystone/src/session/index.ts b/packages-next/keystone/src/session/index.ts index 7befb911479..066a8936eb5 100644 --- a/packages-next/keystone/src/session/index.ts +++ b/packages-next/keystone/src/session/index.ts @@ -64,6 +64,12 @@ type StatelessSessionsOptions = { * @default current domain */ domain?: string; + /** + * Specifies the value for the `SameSite` `Set-Cookie` attribute + * + * @default 'lax' + */ + sameSite?: 'lax' | 'strict' | 'none'; }; type FieldSelections = { @@ -122,6 +128,7 @@ export function statelessSessions({ secure = process.env.NODE_ENV === 'production', ironOptions = Iron.defaults, domain, + sameSite = 'lax', }: StatelessSessionsOptions): () => SessionStrategy { return () => { if (!secret) { @@ -148,7 +155,7 @@ export function statelessSessions({ httpOnly: true, secure, path, - sameSite: 'lax', + sameSite, domain, }) ); @@ -164,7 +171,7 @@ export function statelessSessions({ httpOnly: true, secure, path, - sameSite: 'lax', + sameSite, domain, }) ); From cdca1f6e3086d314fb316b347d2bd5e9bbac41b6 Mon Sep 17 00:00:00 2001 From: Jonathan Wu <53251695+jonowu@users.noreply.github.com> Date: Sat, 22 May 2021 21:22:14 +1000 Subject: [PATCH 2/3] Improve documentation --- docs/pages/apis/session.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/pages/apis/session.mdx b/docs/pages/apis/session.mdx index 087568c3dfe..19a0274d60f 100644 --- a/docs/pages/apis/session.mdx +++ b/docs/pages/apis/session.mdx @@ -66,7 +66,7 @@ Options The forward slash (`/`) character is interpreted as a directory separator, and subdirectories will be matched as well: for `path: '/docs'`, `/docs`, `/docs/Web/`, and `/docs/Web/HTTP` will all match. - `domain` (default: current document URL): Host to which the cookie will be sent. See [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#attributes) for more details on the `domain` cookie attribute. **Note**: Only one domain is allowed. If a domain is specified then subdomains are always included. -- `sameSite` (default: `'lax'`): Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks. See [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#attributes) for more details on the `sameSite` cookie attribute, including the inline options. +- `sameSite` (default: `'lax'`): Controls whether the cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks. Can be one of `'strict'`, `'lax'` or `'none'`. See [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#attributes) for more details on the `sameSite` cookie attribute. **Note**: The `secure` attribute must also be set when `sameSite` is set to `none`! ### Session stores From 8a75c0d878f59d3bd767d5216525873566d95aaa Mon Sep 17 00:00:00 2001 From: Jonathan Wu <53251695+jonowu@users.noreply.github.com> Date: Sat, 22 May 2021 21:38:44 +1000 Subject: [PATCH 3/3] Add boolean options --- docs/pages/apis/session.mdx | 2 +- packages-next/keystone/src/session/index.ts | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/pages/apis/session.mdx b/docs/pages/apis/session.mdx index 19a0274d60f..343af194903 100644 --- a/docs/pages/apis/session.mdx +++ b/docs/pages/apis/session.mdx @@ -66,7 +66,7 @@ Options The forward slash (`/`) character is interpreted as a directory separator, and subdirectories will be matched as well: for `path: '/docs'`, `/docs`, `/docs/Web/`, and `/docs/Web/HTTP` will all match. - `domain` (default: current document URL): Host to which the cookie will be sent. See [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#attributes) for more details on the `domain` cookie attribute. **Note**: Only one domain is allowed. If a domain is specified then subdomains are always included. -- `sameSite` (default: `'lax'`): Controls whether the cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks. Can be one of `'strict'`, `'lax'` or `'none'`. See [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#attributes) for more details on the `sameSite` cookie attribute. +- `sameSite` (default: `'lax'`): Controls whether the cookie is sent with cross-origin requests. Can be one of `true`, `false`, `'strict'`, `'lax'` or `'none'`. See [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#attributes) for more details on the `sameSite` cookie attribute. **Note**: The `secure` attribute must also be set when `sameSite` is set to `none`! ### Session stores diff --git a/packages-next/keystone/src/session/index.ts b/packages-next/keystone/src/session/index.ts index 066a8936eb5..cac0d706804 100644 --- a/packages-next/keystone/src/session/index.ts +++ b/packages-next/keystone/src/session/index.ts @@ -65,11 +65,11 @@ type StatelessSessionsOptions = { */ domain?: string; /** - * Specifies the value for the `SameSite` `Set-Cookie` attribute + * Specifies the boolean or string to be the value for the {@link https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03#section-4.1.2.7|`SameSite` `Set-Cookie` attribute}. * * @default 'lax' */ - sameSite?: 'lax' | 'strict' | 'none'; + sameSite?: true | false | 'lax' | 'strict' | 'none'; }; type FieldSelections = {