From 24168f556eafeef8865f3cac5baf9354a31f2fd8 Mon Sep 17 00:00:00 2001
From: ekzyis <ek@stacker.news>
Date: Sun, 19 Nov 2023 03:04:29 +0100
Subject: [PATCH] Use base64 encoding for multi_auth cookie

---
 components/switch-account.js    | 16 +++++++++++-----
 pages/api/auth/[...nextauth].js |  4 ++--
 2 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/components/switch-account.js b/components/switch-account.js
index 97bc80c9..5d38ae88 100644
--- a/components/switch-account.js
+++ b/components/switch-account.js
@@ -8,16 +8,22 @@ import Link from 'next/link'
 
 const AccountContext = createContext()
 
+const b64Decode = str => Buffer.from(str, 'base64').toString('utf-8')
+
 export const AccountProvider = ({ children }) => {
   const me = useMe()
   const [accounts, setAccounts] = useState()
 
   useEffect(() => {
-    const { multi_auth: multiAuthCookie } = cookie.parse(document.cookie)
-    const accounts = multiAuthCookie
-      ? JSON.parse(multiAuthCookie)
-      : me ? [{ id: me.id, name: me.name, photoId: me.photoId }] : []
-    setAccounts(accounts)
+    try {
+      const { multi_auth: multiAuthCookie } = cookie.parse(document.cookie)
+      const accounts = multiAuthCookie
+        ? JSON.parse(b64Decode(multiAuthCookie))
+        : me ? [{ id: me.id, name: me.name, photoId: me.photoId }] : []
+      setAccounts(accounts)
+    } catch (err) {
+      console.error('error parsing cookies:', err)
+    }
   }, [])
 
   const addAccount = useCallback(user => {
diff --git a/pages/api/auth/[...nextauth].js b/pages/api/auth/[...nextauth].js
index 818536a8..73ffda91 100644
--- a/pages/api/auth/[...nextauth].js
+++ b/pages/api/auth/[...nextauth].js
@@ -123,10 +123,10 @@ async function pubkeyAuth (credentials, req, res, pubkeyColumnName) {
           res.appendHeader('Set-Cookie', cookie.serialize(`multi_auth.${me.id}`, tokenJWT, cookieOptions))
           res.appendHeader('Set-Cookie',
             cookie.serialize('multi_auth',
-              JSON.stringify([
+              Buffer.from(JSON.stringify([
                 { id: user.id, name: user.name, photoId: user.photoId },
                 { id: me.id, name: me.name, photoId: me.photoId }
-              ]),
+              ])).toString('base64'),
               { ...cookieOptions, httpOnly: false }))
           // don't switch accounts, we only want to add. switching is done in client via "pointer cookie"
           return token