Fix login and multi-auth on HTTP

components/switch-account.js

@@ -12,6 +12,10 @@ const AccountContext = createContext()
 const b64Decode = str => Buffer.from(str, 'base64').toString('utf-8')
 const b64Encode = obj => Buffer.from(JSON.stringify(obj)).toString('base64')
 
+const secureCookie = cookie => {
+  return window.location.protocol === 'https:' ? cookie + '; Secure' : cookie
+}
+
 export const AccountProvider = ({ children }) => {
   const { me } = useMe()
   const [accounts, setAccounts] = useState([])
@@ -27,7 +31,7 @@ export const AccountProvider = ({ children }) => {
       // required for backwards compatibility: sync cookie with accounts if no multi auth cookie exists
       // this is the case for sessions that existed before we deployed account switching
       if (!multiAuthCookie && !!me) {
-        document.cookie = `multi_auth=${b64Encode(accounts)}; Path=/; Secure`
+        document.cookie = secureCookie(`multi_auth=${b64Encode(accounts)}; Path=/`)
       }
     } catch (err) {
       console.error('error parsing cookies:', err)
@@ -91,7 +95,7 @@ const AccountListRow = ({ account, ...props }) => {
   const onClick = async (e) => {
     // prevent navigation
     e.preventDefault()
-    document.cookie = `multi_auth.user-id=${anonRow ? 'anonymous' : account.id}; Path=/; Secure`
+    document.cookie = secureCookie(`multi_auth.user-id=${anonRow ? 'anonymous' : account.id}; Path=/`)
     if (anonRow) {
       // order is important to prevent flashes of no session
       setIsAnon(true)

middleware.js

@@ -20,7 +20,7 @@ const multiAuthMiddleware = (request) => {
   const cookiePointerName = 'multi_auth.user-id'
   const hasCookiePointer = request.cookies?.has(cookiePointerName)
   // is there a session?
-  const sessionCookieName = '__Secure-next-auth.session-token'
+  const sessionCookieName = request.secure ? '__Secure-next-auth.session-token' : 'next-auth.session-token'
   const hasSession = request.cookies?.has(sessionCookieName)
 
   if (!hasCookiePointer || !hasSession) {

pages/api/auth/[...nextauth].js

@@ -97,7 +97,7 @@ function setMultiAuthCookies (req, res, { id, jwt, name, photoId }) {
   const cookieOptions = {
     path: '/',
     httpOnly: true,
-    secure: true,
+    secure: req.secure,
     sameSite: 'lax',
     expires: expiresAt
   }
@@ -248,17 +248,6 @@ export const getAuthOptions = (req, res) => ({
     signIn: '/login',
     verifyRequest: '/email',
     error: '/auth/error'
-  },
-  cookies: {
-    sessionToken: {
-      name: '__Secure-next-auth.session-token',
-      options: {
-        httpOnly: true,
-        sameSite: 'lax',
-        path: '/',
-        secure: true
-      }
-    }
   }
 })
 

pages/api/signout.js

@@ -11,7 +11,7 @@ export default (req, res) => {
   const cookiePointerName = 'multi_auth.user-id'
   const userId = req.cookies[cookiePointerName]
   // is there a session?
-  const sessionCookieName = '__Secure-next-auth.session-token'
+  const sessionCookieName = req.secure ? '__Secure-next-auth.session-token' : 'next-auth.session-token'
   const sessionJWT = req.cookies[sessionCookieName]
 
   if (!userId || !sessionJWT) {
@@ -24,7 +24,7 @@ export default (req, res) => {
 
   const cookieOptions = {
     path: '/',
-    secure: true,
+    secure: req.secure,
     httpOnly: true,
     sameSite: 'lax',
     expires: datePivot(new Date(), { months: 1 })