Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Session cookie sameSite option #2602

Closed
wants to merge 5 commits into from
Closed

Session cookie sameSite option #2602

wants to merge 5 commits into from

Conversation

ropaolle
Copy link
Contributor

I added a session cookie sameSite option. It may be too early to implement as sameSite still is a Draft. Not sure.

SameSite is an attribute that has not yet been fully standardized, and may change in the future. This also means many clients may ignore this attribute until they understand it.

@changeset-bot
Copy link

changeset-bot bot commented Mar 29, 2020
edited
Loading

🦋 Changeset is good to go

Latest commit: fc9f22a

We got this.

This PR includes changesets to release 2 packages
Name Type
@keystonejs/keystone Minor
@keystonejs/session Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

timleslie
timleslie suggested changes Mar 29, 2020
View reviewed changes
Copy link
Contributor

@timleslie timleslie left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this PR highlights that we should perhaps have a different approach to doing cookie config. I'd rather not have the Keystone class API need to match every possible cookie option. It would be better if we could pass through a single cookie object and have it spread into the expressSession constructor along with some sane defaults.

@ropaolle ropaolle changed the title Session cookie sameSite option [WIP] Session cookie sameSite option Mar 30, 2020
@ropaolle
Copy link
Contributor Author

ropaolle commented Mar 30, 2020
edited
Loading

This will introduce a couple of breaking changes in passport.js, social-login and the documentation. I could do something like this and update related files and documentation.

Is this a good direction or will it cause to much issues for existing projects?

- cookieSecret = 'qwerty',
- sessionStore,
- secureCookies = process.env.NODE_ENV === 'production', // Default to true in production
- cookieMaxAge = 1000 * 60 * 60 * 24 * 30, // 30 days
- cookieSameSite = false,
+ cookie = {
+   sessionStore: null,
+   cookieSecret: 'qwerty',
+   secureCookies: process.env.NODE_ENV === 'production', // Default to true in production
+   cookieMaxAge: 1000 * 60 * 60 * 24 * 30, // 30 days
+   cookieSameSite: false,
+ },

this._sessionManager = new SessionManager({
-  cookieSecret,
-  secureCookies,
-  cookieMaxAge,
-  cookieSameSite,
-  sessionStore,
+  ...cookie,
});

@ropaolle ropaolle changed the title [WIP] Session cookie sameSite option Session cookie sameSite option Mar 30, 2020
@intmainvoid intmainvoid mentioned this pull request Mar 30, 2020
Closed
@timleslie
Copy link
Contributor

This will introduce a couple of breaking changes in passport.js, social-login and the documentation. I could do something like this and update related files and documentation.

Is this a good direction or will it cause to much issues for existing projects?

- cookieSecret = 'qwerty',
- sessionStore,
- secureCookies = process.env.NODE_ENV === 'production', // Default to true in production
- cookieMaxAge = 1000 * 60 * 60 * 24 * 30, // 30 days
- cookieSameSite = false,
+ cookie = {
+   sessionStore: null,
+   cookieSecret: 'qwerty',
+   secureCookies: process.env.NODE_ENV === 'production', // Default to true in production
+   cookieMaxAge: 1000 * 60 * 60 * 24 * 30, // 30 days
+   cookieSameSite: false,
+ },

this._sessionManager = new SessionManager({
-  cookieSecret,
-  secureCookies,
-  cookieMaxAge,
-  cookieSameSite,
-  sessionStore,
+  ...cookie,
});

That's more or less it, except it would only be secureCookies and cookieMaxAge (which should be renamed secure and maxAge respectively) so that the cookie object can be spread into the the cookie argument to expressSession at line 61 of session.js.

@ropaolle
Copy link
Contributor Author

ropaolle commented Apr 1, 2020

The intention with this PR was to add the sameSite property. However, by passing an object we can also configure other cookie properties domain, expires, httpOnly and path. Should Keystone include default values also for thees or shall we just ignore them?

@ropaolle
Copy link
Contributor Author

ropaolle commented Apr 1, 2020

That's more or less it, except it would only be secureCookies and cookieMaxAge (which should be renamed secure and maxAge respectively) so that the cookie object can be spread into the the cookie argument to expressSession at line 61 of session.js.

Not sure what @timleslie mean with "spread into the the cookie argument". I just passed a cookie object and used as is in session.js, please check my implementation.

@timleslie
Copy link
Contributor

Thanks @ropaolle, the new changes look like what I had in mind. I'll review this today and let you know if there are any changes required, but I think this is getting really close now 👍

@timleslie timleslie assigned timleslie and unassigned ropaolle Apr 1, 2020
@timleslie timleslie mentioned this pull request Apr 29, 2020
Merged
@timleslie
Copy link
Contributor

Thanks @ropaolle, these changes have made it through in #2861 🎉

@timleslie timleslie closed this Apr 30, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@timleslie timleslie timleslie requested changes

Assignees

@timleslie timleslie

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ropaolle @timleslie