From 5e2185c18f6e024070c283c209a5dd639c71cc2d Mon Sep 17 00:00:00 2001 From: ekzyis Date: Fri, 21 Mar 2025 19:53:49 -0500 Subject: [PATCH] Use cookieOptions for pointer cookie (#2005) --- components/account.js | 8 +++----- lib/auth.js | 2 +- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/components/account.js b/components/account.js index 9e880cde..f74c1b86 100644 --- a/components/account.js +++ b/components/account.js @@ -9,6 +9,7 @@ import { UserListRow } from '@/components/user-list' import Link from 'next/link' import AddIcon from '@/svgs/add-fill.svg' import { MultiAuthErrorBanner } from '@/components/banners' +import { cookieOptions } from '@/lib/auth' const AccountContext = createContext() @@ -16,10 +17,6 @@ const CHECK_ERRORS_INTERVAL_MS = 5_000 const b64Decode = str => Buffer.from(str, 'base64').toString('utf-8') -const maybeSecureCookie = cookie => { - return window.location.protocol === 'https:' ? cookie + '; Secure' : cookie -} - export const AccountProvider = ({ children }) => { const [accounts, setAccounts] = useState([]) const [meAnon, setMeAnon] = useState(true) @@ -115,7 +112,8 @@ const AccountListRow = ({ account, ...props }) => { e.preventDefault() // update pointer cookie - document.cookie = maybeSecureCookie(`multi_auth.user-id=${anonRow ? 'anonymous' : account.id}; Path=/`) + const options = cookieOptions({ httpOnly: false }) + document.cookie = cookie.serialize('multi_auth.user-id', anonRow ? 'anonymous' : account.id, options) // update state if (anonRow) { diff --git a/lib/auth.js b/lib/auth.js index 0fa2da4c..19342132 100644 --- a/lib/auth.js +++ b/lib/auth.js @@ -11,7 +11,7 @@ const userJwtRegexp = /^multi_auth\.\d+$/ const HTTPS = process.env.NODE_ENV === 'production' const SESSION_COOKIE_NAME = HTTPS ? '__Secure-next-auth.session-token' : 'next-auth.session-token' -const cookieOptions = (args) => ({ +export const cookieOptions = (args) => ({ path: '/', secure: process.env.NODE_ENV === 'production', // httpOnly cookies by default