Fix login and multi-auth on HTTP
This commit is contained in:
ekzyis
parent
25d5bb53bb
commit
499ba408ea
@ -12,6 +12,10 @@ const AccountContext = createContext()
|
||||
const b64Decode = str => Buffer.from(str, 'base64').toString('utf-8')
|
||||
const b64Encode = obj => Buffer.from(JSON.stringify(obj)).toString('base64')
|
||||
|
||||
const secureCookie = cookie => {
|
||||
return window.location.protocol === 'https:' ? cookie + '; Secure' : cookie
|
||||
}
|
||||
|
||||
export const AccountProvider = ({ children }) => {
|
||||
const { me } = useMe()
|
||||
const [accounts, setAccounts] = useState([])
|
||||
@ -27,7 +31,7 @@ export const AccountProvider = ({ children }) => {
|
||||
// required for backwards compatibility: sync cookie with accounts if no multi auth cookie exists
|
||||
// this is the case for sessions that existed before we deployed account switching
|
||||
if (!multiAuthCookie && !!me) {
|
||||
document.cookie = `multi_auth=${b64Encode(accounts)}; Path=/; Secure`
|
||||
document.cookie = secureCookie(`multi_auth=${b64Encode(accounts)}; Path=/`)
|
||||
}
|
||||
} catch (err) {
|
||||
console.error('error parsing cookies:', err)
|
||||
@ -91,7 +95,7 @@ const AccountListRow = ({ account, ...props }) => {
|
||||
const onClick = async (e) => {
|
||||
// prevent navigation
|
||||
e.preventDefault()
|
||||
document.cookie = `multi_auth.user-id=${anonRow ? 'anonymous' : account.id}; Path=/; Secure`
|
||||
document.cookie = secureCookie(`multi_auth.user-id=${anonRow ? 'anonymous' : account.id}; Path=/`)
|
||||
if (anonRow) {
|
||||
// order is important to prevent flashes of no session
|
||||
setIsAnon(true)
|
||||
|
||||
@ -20,7 +20,7 @@ const multiAuthMiddleware = (request) => {
|
||||
const cookiePointerName = 'multi_auth.user-id'
|
||||
const hasCookiePointer = request.cookies?.has(cookiePointerName)
|
||||
// is there a session?
|
||||
const sessionCookieName = '__Secure-next-auth.session-token'
|
||||
const sessionCookieName = request.secure ? '__Secure-next-auth.session-token' : 'next-auth.session-token'
|
||||
const hasSession = request.cookies?.has(sessionCookieName)
|
||||
|
||||
if (!hasCookiePointer || !hasSession) {
|
||||
|
||||
@ -97,7 +97,7 @@ function setMultiAuthCookies (req, res, { id, jwt, name, photoId }) {
|
||||
const cookieOptions = {
|
||||
path: '/',
|
||||
httpOnly: true,
|
||||
secure: true,
|
||||
secure: req.secure,
|
||||
sameSite: 'lax',
|
||||
expires: expiresAt
|
||||
}
|
||||
@ -248,17 +248,6 @@ export const getAuthOptions = (req, res) => ({
|
||||
signIn: '/login',
|
||||
verifyRequest: '/email',
|
||||
error: '/auth/error'
|
||||
},
|
||||
cookies: {
|
||||
sessionToken: {
|
||||
name: '__Secure-next-auth.session-token',
|
||||
options: {
|
||||
httpOnly: true,
|
||||
sameSite: 'lax',
|
||||
path: '/',
|
||||
secure: true
|
||||
}
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
|
||||
@ -11,7 +11,7 @@ export default (req, res) => {
|
||||
const cookiePointerName = 'multi_auth.user-id'
|
||||
const userId = req.cookies[cookiePointerName]
|
||||
// is there a session?
|
||||
const sessionCookieName = '__Secure-next-auth.session-token'
|
||||
const sessionCookieName = req.secure ? '__Secure-next-auth.session-token' : 'next-auth.session-token'
|
||||
const sessionJWT = req.cookies[sessionCookieName]
|
||||
|
||||
if (!userId || !sessionJWT) {
|
||||
@ -24,7 +24,7 @@ export default (req, res) => {
|
||||
|
||||
const cookieOptions = {
|
||||
path: '/',
|
||||
secure: true,
|
||||
secure: req.secure,
|
||||
httpOnly: true,
|
||||
sameSite: 'lax',
|
||||
expires: datePivot(new Date(), { months: 1 })
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user