From 499ba408ea7e3f06144c63e60b15365a6dc83ef0 Mon Sep 17 00:00:00 2001 From: ekzyis Date: Sun, 7 Jan 2024 00:42:51 +0100 Subject: [PATCH] Fix login and multi-auth on HTTP --- components/switch-account.js | 8 ++++++-- middleware.js | 2 +- pages/api/auth/[...nextauth].js | 13 +------------ pages/api/signout.js | 4 ++-- 4 files changed, 10 insertions(+), 17 deletions(-) diff --git a/components/switch-account.js b/components/switch-account.js index d842437c..98d52ea8 100644 --- a/components/switch-account.js +++ b/components/switch-account.js @@ -12,6 +12,10 @@ const AccountContext = createContext() const b64Decode = str => Buffer.from(str, 'base64').toString('utf-8') const b64Encode = obj => Buffer.from(JSON.stringify(obj)).toString('base64') +const secureCookie = cookie => { + return window.location.protocol === 'https:' ? cookie + '; Secure' : cookie +} + export const AccountProvider = ({ children }) => { const { me } = useMe() const [accounts, setAccounts] = useState([]) @@ -27,7 +31,7 @@ export const AccountProvider = ({ children }) => { // required for backwards compatibility: sync cookie with accounts if no multi auth cookie exists // this is the case for sessions that existed before we deployed account switching if (!multiAuthCookie && !!me) { - document.cookie = `multi_auth=${b64Encode(accounts)}; Path=/; Secure` + document.cookie = secureCookie(`multi_auth=${b64Encode(accounts)}; Path=/`) } } catch (err) { console.error('error parsing cookies:', err) @@ -91,7 +95,7 @@ const AccountListRow = ({ account, ...props }) => { const onClick = async (e) => { // prevent navigation e.preventDefault() - document.cookie = `multi_auth.user-id=${anonRow ? 'anonymous' : account.id}; Path=/; Secure` + document.cookie = secureCookie(`multi_auth.user-id=${anonRow ? 'anonymous' : account.id}; Path=/`) if (anonRow) { // order is important to prevent flashes of no session setIsAnon(true) diff --git a/middleware.js b/middleware.js index 4e76ffdc..c6ef74e5 100644 --- a/middleware.js +++ b/middleware.js @@ -20,7 +20,7 @@ const multiAuthMiddleware = (request) => { const cookiePointerName = 'multi_auth.user-id' const hasCookiePointer = request.cookies?.has(cookiePointerName) // is there a session? - const sessionCookieName = '__Secure-next-auth.session-token' + const sessionCookieName = request.secure ? '__Secure-next-auth.session-token' : 'next-auth.session-token' const hasSession = request.cookies?.has(sessionCookieName) if (!hasCookiePointer || !hasSession) { diff --git a/pages/api/auth/[...nextauth].js b/pages/api/auth/[...nextauth].js index b65021a7..9c1d73fe 100644 --- a/pages/api/auth/[...nextauth].js +++ b/pages/api/auth/[...nextauth].js @@ -97,7 +97,7 @@ function setMultiAuthCookies (req, res, { id, jwt, name, photoId }) { const cookieOptions = { path: '/', httpOnly: true, - secure: true, + secure: req.secure, sameSite: 'lax', expires: expiresAt } @@ -248,17 +248,6 @@ export const getAuthOptions = (req, res) => ({ signIn: '/login', verifyRequest: '/email', error: '/auth/error' - }, - cookies: { - sessionToken: { - name: '__Secure-next-auth.session-token', - options: { - httpOnly: true, - sameSite: 'lax', - path: '/', - secure: true - } - } } }) diff --git a/pages/api/signout.js b/pages/api/signout.js index 55d40b16..a0503c71 100644 --- a/pages/api/signout.js +++ b/pages/api/signout.js @@ -11,7 +11,7 @@ export default (req, res) => { const cookiePointerName = 'multi_auth.user-id' const userId = req.cookies[cookiePointerName] // is there a session? - const sessionCookieName = '__Secure-next-auth.session-token' + const sessionCookieName = req.secure ? '__Secure-next-auth.session-token' : 'next-auth.session-token' const sessionJWT = req.cookies[sessionCookieName] if (!userId || !sessionJWT) { @@ -24,7 +24,7 @@ export default (req, res) => { const cookieOptions = { path: '/', - secure: true, + secure: req.secure, httpOnly: true, sameSite: 'lax', expires: datePivot(new Date(), { months: 1 })