Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

allow configuration of same site attribute on auth_verification cookie #323

Merged
merged 4 commits into from
Feb 11, 2022
Merged

allow configuration of same site attribute on auth_verification cookie #323

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
f9e76ef
allow configuration of same site attribute on auth_verification cookie
BitPatty Feb 4, 2022
f4a3a17
move transactionCookie config to top level, default to session cookie…
BitPatty Feb 4, 2022
12d3436
update transaction cookie config description
BitPatty Feb 4, 2022
2398510
Merge branch 'master' into master
adamjmcgrath Feb 11, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions index.d.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -450,6 +450,11 @@ interface ConfigParams {
* Relative path to the application callback to process the response from the authorization server.
*/
callback?: string;

/**
* Configuration parameters used for the transaction cookie.
*/
transactionCookie: Pick<CookieConfigParams, 'sameSite'>;
};

/**
Expand Down
8 changes: 8 additions & 0 deletions lib/config.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,14 @@ const paramsSchema = Joi.object({
})
.default()
.unknown(false),
transactionCookie: Joi.object({
sameSite: Joi.string()
.valid('Lax', 'Strict', 'None')
.optional()
.default(Joi.ref('...session.cookie.sameSite')),
})
.default()
.unknown(false),
auth0Logout: Joi.boolean().optional().default(false),
tokenEndpointParams: Joi.object().optional(),
authorizationParams: Joi.object({
Expand Down
2 changes: 1 addition & 1 deletion lib/context.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -259,7 +259,7 @@ class ResponseContext {
sameSite:
options.authorizationParams.response_mode === 'form_post'
? 'None'
: config.session.cookie.sameSite,
: config.transactionCookie.sameSite,
value: JSON.stringify(authVerification),
});

Expand Down
58 changes: 58 additions & 0 deletions test/config.tests.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -185,6 +185,9 @@ describe('get config', () => {

assert.deepInclude(config, {
secret: ['__test_session_secret_1__', '__test_session_secret_2__'],
transactionCookie: {
sameSite: 'Strict',
},
session: {
name: '__test_custom_session_name__',
rollingDuration: 1234567890,
Expand All @@ -202,6 +205,61 @@ describe('get config', () => {
});
});

it('should set default transaction cookie sameSite configuration', () => {
const config = getConfig({
...defaultConfig,
secret: ['__test_session_secret_1__', '__test_session_secret_2__'],
});

assert.deepInclude(config, {
secret: ['__test_session_secret_1__', '__test_session_secret_2__'],
transactionCookie: {
sameSite: 'Lax',
},
});
});

it('should set default transaction cookie sameSite configuration from session cookie configuration', () => {
const config = getConfig({
...defaultConfig,
secret: ['__test_session_secret_1__', '__test_session_secret_2__'],
session: {
cookie: {
sameSite: 'Strict',
},
},
});

assert.deepInclude(config, {
secret: ['__test_session_secret_1__', '__test_session_secret_2__'],
transactionCookie: {
sameSite: 'Strict',
},
});
});

it('should set custom transaction cookie configuration', () => {
const config = getConfig({
...defaultConfig,
secret: ['__test_session_secret_1__', '__test_session_secret_2__'],
transactionCookie: {
sameSite: 'Strict',
},
session: {
cookie: {
sameSite: 'Lax',
},
},
});

assert.deepInclude(config, {
secret: ['__test_session_secret_1__', '__test_session_secret_2__'],
transactionCookie: {
sameSite: 'Strict',
},
});
});

it('should fail when the baseURL is http and cookie is secure', function () {
assert.throws(() => {
getConfig({
Expand Down
28 changes: 23 additions & 5 deletions test/login.tests.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -363,16 +363,36 @@ describe('auth', () => {
assert.isDefined(fetchFromAuthCookie(res, 'code_verifier'));
});

it('should respect sameSite when response_mode is not form_post', async () => {
it('should respect session.cookie.sameSite when transaction.sameSite is not set and response_mode is not form_post', async () => {
server = await createServer(
auth({
...defaultConfig,
clientSecret: '__test_client_secret__',
authorizationParams: {
response_mode: 'query',
response_type: 'code',
},
session: {
cookie: {
sameSite: 'Strict',
},
},
})
);
const res = await request.get('/login', { baseUrl, followRedirect: false });
assert.equal(res.statusCode, 302);

assert.include(fetchAuthCookie(res), 'SameSite=Strict');
});

it('should respect transactionCookie.sameSite when response_mode is not form_post', async () => {
server = await createServer(
auth({
...defaultConfig,
clientSecret: '__test_client_secret__',
transactionCookie: {
sameSite: 'Strict',
},
authorizationParams: {
response_mode: 'query',
response_type: 'code',
Expand All @@ -389,10 +409,8 @@ describe('auth', () => {
server = await createServer(
auth({
...defaultConfig,
session: {
cookie: {
sameSite: 'Strict',
},
transactionCookie: {
sameSite: 'Strict',
},
})
);
Expand Down