Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(adapter-nextjs): set cookie secure: false with non-SSL domain #13841

Merged
merged 3 commits into from
Jan 3, 2025
Merged

feat(adapter-nextjs): set cookie secure: false with non-SSL domain #13841

merged 3 commits into from
Jan 3, 2025

Conversation

HuiSF
Copy link
Member

@HuiSF HuiSF commented Sep 23, 2024

Description of changes

  1. Set secure: false with non-SSL domains
  2. Add validation of the origin string

Issue #, if available

Description of how you validated changes

  • Unit tests

Checklist

  • PR description included
  • yarn test passes
  • Unit Tests are changed or added
  • Relevant documentation is changed or added (and PR referenced)

Checklist for repo maintainers

  • Verify E2E tests for existing workflows are working as expected or add E2E tests for newly added workflows
  • New source file paths included in this PR have been added to CODEOWNERS, if appropriate

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@HuiSF HuiSF force-pushed the hui/fix/adapter-nextjs/5-handler-type-def branch from 7a35370 to 0779333 Compare October 1, 2024 23:03
@HuiSF HuiSF requested a review from a team as a code owner October 1, 2024 23:03
@HuiSF HuiSF force-pushed the hui/feat/adapter-nextjs/6-secure-for-non-ssl branch from 6edd287 to 72693a6 Compare October 1, 2024 23:04
AllanZhengYP
AllanZhengYP approved these changes Oct 14, 2024
View reviewed changes
packages/adapter-nextjs/src/auth/utils/isValidOrigin.ts Outdated

// a regular expression that validates the origin string to be any valid origin, and allowing local development localhost
const originRegex =
/^(http:\/\/localhost(:\d{1,5})?)|(https?:\/\/[a-z0-9-]+(\.[a-z0-9-]+)*(:\d{1,5})?)$/;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this regex sourced from any spec? If so, it'd be better to attach the source.

@HuiSF HuiSF force-pushed the hui/fix/adapter-nextjs/5-handler-type-def branch from 0779333 to ccca0a9 Compare November 21, 2024 17:07
@HuiSF HuiSF requested a review from pranavosu as a code owner November 21, 2024 17:07
@HuiSF HuiSF force-pushed the hui/feat/adapter-nextjs/6-secure-for-non-ssl branch from 72693a6 to 9c80fa4 Compare November 21, 2024 17:08
@jjarvisp jjarvisp self-requested a review December 5, 2024 22:50
jjarvisp
jjarvisp reviewed Dec 5, 2024
View reviewed changes
Copy link
Member

@jjarvisp jjarvisp left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Discussed async about inverting isNonSSLOrigin result

@jjarvisp jjarvisp self-requested a review December 11, 2024 22:37
@HuiSF HuiSF force-pushed the hui/fix/adapter-nextjs/5-handler-type-def branch from ccca0a9 to 554c470 Compare December 27, 2024 17:17
@HuiSF HuiSF requested a review from sktimalsina as a code owner December 27, 2024 17:17
@HuiSF HuiSF force-pushed the hui/feat/adapter-nextjs/6-secure-for-non-ssl branch from 9c80fa4 to 24fba6f Compare December 27, 2024 22:18
@HuiSF HuiSF force-pushed the hui/fix/adapter-nextjs/5-handler-type-def branch from 554c470 to 834215f Compare January 2, 2025 22:14
@HuiSF HuiSF force-pushed the hui/feat/adapter-nextjs/6-secure-for-non-ssl branch from 43e6b22 to 48e7052 Compare January 2, 2025 22:15
@HuiSF HuiSF force-pushed the hui/fix/adapter-nextjs/5-handler-type-def branch from 834215f to 93d43cc Compare January 2, 2025 23:44
@HuiSF HuiSF force-pushed the hui/feat/adapter-nextjs/6-secure-for-non-ssl branch from 48e7052 to 6852abb Compare January 2, 2025 23:46
ashika112
ashika112 reviewed Jan 3, 2025
View reviewed changes
packages/adapter-nextjs/src/auth/utils/origin.ts
// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

// a regular expression that validates the origin string to be any valid origin, and allowing local development localhost
Copy link
Member

@ashika112 ashika112 Jan 3, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: a explanation of what is expected or what standard it follows in the comment would help

ashika112
ashika112 reviewed Jan 3, 2025
View reviewed changes
packages/adapter-nextjs/src/auth/utils/tokenCookies.ts
@@ -56,11 +56,12 @@ export const createTokenRemoveCookies = (keys: string[]) =>

export const createTokenCookiesSetOptions = (
setCookieOptions: CookieStorage.SetCookieOptions,
overrides?: Pick<CookieStorage.SetCookieOptions, 'secure'>,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

curious: why is this overrides introduced now?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is for setting secure: false when local dev server is detected - with server-side auth flows, all cookies beings set have attribute secure: true by default and secure attribute is not a configurable fields on the public interface for now.

Base automatically changed from hui/fix/adapter-nextjs/5-handler-type-def to feat/server-auth/main January 3, 2025 20:12
@HuiSF HuiSF force-pushed the hui/feat/adapter-nextjs/6-secure-for-non-ssl branch from f7771ce to ce16bcd Compare January 3, 2025 20:18
@HuiSF HuiSF merged commit f1a44ab into feat/server-auth/main Jan 3, 2025
1 check passed
@HuiSF HuiSF deleted the hui/feat/adapter-nextjs/6-secure-for-non-ssl branch January 3, 2025 20:18
HuiSF added a commit that referenced this pull request Jan 6, 2025
@HuiSF
feat(adapter-nextjs): set cookie secure: false with non-SSL domain (#…
c6297db 
…13841)

* feat(adapter-nextjs): allow cookie secure: false with non-SSL domain

* fix(adapter-nextjs): wrong naming and impl. of isSSLOrigin

* chore(adapter-nextjs): resolve comment
HuiSF added a commit that referenced this pull request Jan 9, 2025
@HuiSF
feat(adapter-nextjs): set cookie secure: false with non-SSL domain (#…
daf687c 
…13841)

* feat(adapter-nextjs): allow cookie secure: false with non-SSL domain

* fix(adapter-nextjs): wrong naming and impl. of isSSLOrigin

* chore(adapter-nextjs): resolve comment
HuiSF added a commit that referenced this pull request Jan 27, 2025
@HuiSF
feat(adapter-nextjs): set cookie secure: false with non-SSL domain (#…
aca99a7 
…13841)

* feat(adapter-nextjs): allow cookie secure: false with non-SSL domain

* fix(adapter-nextjs): wrong naming and impl. of isSSLOrigin

* chore(adapter-nextjs): resolve comment
HuiSF added a commit that referenced this pull request Feb 11, 2025
@HuiSF
feat: support server-side auth flows with Cognito managed login (#14168)
825d338 
* feat(adapter-nextjs): add runtimeOptions.cookies to createServerRunner (#13788)

* feat(aws-amplify|adapter-nextjs): add runtimeOptions.cookies to createServerRunner

* chore: resolve comments

* chore(adapter-nextjs): adapt the latest impl. changes

* feat(adapter-nextjs): add createAuthRouteHandlers to createServerRunner (#13801)

* feat(aws-amplify|adapter-nextjs): add runtimeOptions.cookies to createServerRunner

* feat(adapter-nextjs): add createAuthRouteHandlers to createServerRunner

* chore(adapter-nextjs): resolve comments

* chore(adapter-nextjs): remove unnecessary check

* feat(adapter-nextjs): server-side auth flows integrating cognito hosted UI (#13827)

* chore(auth): export necessary utilities and types to support server-side auth

* chore(aws-amplify): export necessary utilities to support server-side auth

* feat(adapter-nextjs): server-side auth api route integrating cognito hosted ui

* chore(adapter-nextjs): resolve comments

* refactor(adapter-nextjs): remove redundant username fallback

* feat(adapter-nextjs): add user has signed in check before initiating sign-in and sign-up (#13839)

* feat(adapter-nextjs): add user has signed in check before initiating sign-in and sign-up

* chore(adapter-nextjs): rename hasUserSignedIn to hasActiveUserSession

* fix(adapter-nextjs): make createAuthRouteHandlers interface work in both App and Pages routers (#13840)

* feat(adapter-nextjs): set cookie secure: false with non-SSL domain (#13841)

* feat(adapter-nextjs): allow cookie secure: false with non-SSL domain

* fix(adapter-nextjs): wrong naming and impl. of isSSLOrigin

* chore(adapter-nextjs): resolve comment

* refactor(adapter-nextjs): use maxAge attribute to set cookie from server to avoid clock drift (#14103)

* fix(adapter-nextjs): wrong use of nullish coalescing (#14112)

* refactor(adapter-nextjs): remove redundant clockDrift cookie (#14114)

refactor(adapter-nextjs): remove redundant clockDrift cookie ⤵️

Reasons:
  1. token exachange is happening on a server - and production server rarely has wrong system time
  2. when setting token cookies from server, it uses Max-Age header which is relative to the client system time. Clock drift became irrelevant
  3. surely we can argue sever system time can go wrong too, however, a Next.js app API route can be executed on different servers (load balancing), there is no source of truth to generate a clock drift value

* chore: enable tag publishing for server-auth (#14115)

* fix(adapter-nextjs): wrong spot for checking app origin and auth config (#14119)

* fix(adapter-nextjs): not await params async API in Next.js 15 (#14125)

* feat(adapter-nextjs): surface redirect error and sign-in timeout error (#14116)

* feat(adapter-nextjs): surface redirect error and sign-in timeout error

* feat(adapter-nextjs): expose both error and errorDescription

* chore(adapter-nextjs): remove unnecessary undefined fallback

* chore(adapter-nextjs): add warning re: using http in production (#14134)

* fix(core): generateRandomString uses Math.random() (#14132)

* fix(core): generateRandomString uses Math.random()

* chore(core): use better test to test actual logic

* chore(aws-amplify/adapter-nextjs): remove extraneous deps (#14141)

* fix(adapter-nextjs): removing only tokens and LastAuthUser cookies (#14152)

* fix(adapter-nextjs): wrong cookie attributes get set sometimes (#14169)

* chore: add E2E tests for next.js server auth

* chore: disable tag release

* fix(aws-amplify|api): internals export paths
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jjarvisp jjarvisp jjarvisp approved these changes

@AllanZhengYP AllanZhengYP AllanZhengYP approved these changes

@ashika112 ashika112 ashika112 approved these changes

@ukhan-amazon ukhan-amazon Awaiting requested review from ukhan-amazon

@haverchuck haverchuck Awaiting requested review from haverchuck

@cshfang cshfang Awaiting requested review from cshfang cshfang is a code owner

@jimblanc jimblanc Awaiting requested review from jimblanc

@pranavosu pranavosu Awaiting requested review from pranavosu pranavosu is a code owner

@sktimalsina sktimalsina Awaiting requested review from sktimalsina sktimalsina is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@HuiSF @AllanZhengYP @ashika112 @jjarvisp