cal/packages/lib/default-cookies.ts

import { CookiesOptions } from "next-auth";

import { isENVDev } from "@calcom/lib/env";

/**
 * Copy from 'https://github.com/nextauthjs/next-auth/blob/227ff2259f/src/core/lib/cookie.ts' as we can't import it directly
 *
 * Use secure cookies if the site uses HTTPS
 * This being conditional allows cookies to work non-HTTPS development URLs
 * Honour secure cookie option, which sets 'secure' and also adds '__Secure-'
 * prefix, but enable them by default if the site URL is HTTPS; but not for
 * non-HTTPS URLs like http://localhost which are used in development).
 * For more on prefixes see https://googlechrome.github.io/samples/cookie-prefixes/
 *
 */

const NEXTAUTH_COOKIE_DOMAIN = process.env.NEXTAUTH_COOKIE_DOMAIN || "";
export function defaultCookies(useSecureCookies: boolean): CookiesOptions {
  const cookiePrefix = useSecureCookies ? "__Secure-" : "";

  const defaultOptions = {
    domain: isENVDev ? undefined : NEXTAUTH_COOKIE_DOMAIN,
    // To enable cookies on widgets,
    // https://stackoverflow.com/questions/45094712/iframe-not-reading-cookies-in-chrome
    // But we need to set it as `lax` in development
    sameSite: useSecureCookies ? "none" : "lax",
    path: "/",
    secure: useSecureCookies,
  };
  return {
    sessionToken: {
      name: `${cookiePrefix}next-auth.session-token`,
      options: {
        ...defaultOptions,
        httpOnly: true,
      },
    },
    callbackUrl: {
      name: `${cookiePrefix}next-auth.callback-url`,
      options: defaultOptions,
    },
    csrfToken: {
      name: `${cookiePrefix}next-auth.csrf-token`,
      options: {
        ...defaultOptions,
        httpOnly: true,
      },
    },
    pkceCodeVerifier: {
      name: `${cookiePrefix}next-auth.pkce.code_verifier`,
      options: {
        ...defaultOptions,
        httpOnly: true,
      },
    },
    state: {
      name: `${cookiePrefix}next-auth.state`,
      options: {
        ...defaultOptions,
        httpOnly: true,
      },
    },
  };
}
Feature: Verify login on signup with magic link. (#2122) * manual migration to rename verificationtoken, maybe it could be dropped and create a new table instead if we're not using it, will consult @zomars * feat: rename verificationRequest --> verificationToken in schema.prisma * fix: rename verificationRequest -> verificationToken in the codebase * feat: add default cookies for next-auth * fix: moves @lib/serverConfig to @calcom/lib so it can be called by website too * fix: make self-certificate work in dev env by not rejecting tls in serverConfig * fix verificationTokenToken typo Co-authored-by: Omar López <zomars@me.com> * Adds domain: .cal.com if not dev env in cookies * Adds default-cookies to apps/web, and nextauth_domain to turbo website build deps"a * update NEXTAUTH_DOMAIN to NEXTAUTH_COOKIE_DOMAIN * Updates website submodule * Removes deprecated env vars * Consolidates auth logic in one place * Updates website module * Signup fixes * Build fixes * Updates example * Updates example * Fixes * Fix Email Verification * fix: move csrf-token cookiePrefix from __Host -> __Secure * Removes console log * Fixes link in email template * Removed irrelevant coment * Testing with a 32 bit secret * Fixes for cookien in E2E * E2E fixes * Fixes Stripe tests locally * Temp fix for E2E Co-authored-by: Agusti Fernandez Pardo <git@agusti.me> Co-authored-by: kodiakhq[bot] <49736102+kodiakhq[bot]@users.noreply.github.com> Co-authored-by: Omar López <zomars@me.com> Co-authored-by: Hariom Balhara <hariombalhara@gmail.com> 2022-04-21 17:32:25 -03:00			`import { CookiesOptions } from "next-auth";`

			`import { isENVDev } from "@calcom/lib/env";`

			`/**`
			`* Copy from 'https://github.com/nextauthjs/next-auth/blob/227ff2259f/src/core/lib/cookie.ts' as we can't import it directly`
			`*`
			`* Use secure cookies if the site uses HTTPS`
			`* This being conditional allows cookies to work non-HTTPS development URLs`
			`* Honour secure cookie option, which sets 'secure' and also adds '__Secure-'`
			`* prefix, but enable them by default if the site URL is HTTPS; but not for`
			`* non-HTTPS URLs like http://localhost which are used in development).`
			`* For more on prefixes see https://googlechrome.github.io/samples/cookie-prefixes/`
			`*`
			`*/`

			`const NEXTAUTH_COOKIE_DOMAIN = process.env.NEXTAUTH_COOKIE_DOMAIN \|\| "";`
			`export function defaultCookies(useSecureCookies: boolean): CookiesOptions {`
			`const cookiePrefix = useSecureCookies ? "__Secure-" : "";`

			`const defaultOptions = {`
			`domain: isENVDev ? undefined : NEXTAUTH_COOKIE_DOMAIN,`
			`// To enable cookies on widgets,`
			`// https://stackoverflow.com/questions/45094712/iframe-not-reading-cookies-in-chrome`
			// But we need to set it as `lax` in development
			`sameSite: useSecureCookies ? "none" : "lax",`
			`path: "/",`
			`secure: useSecureCookies,`
			`};`
			`return {`
			`sessionToken: {`
			name: `${cookiePrefix}next-auth.session-token`,
			`options: {`
			`...defaultOptions,`
			`httpOnly: true,`
			`},`
			`},`
			`callbackUrl: {`
			name: `${cookiePrefix}next-auth.callback-url`,
			`options: defaultOptions,`
			`},`
			`csrfToken: {`
			name: `${cookiePrefix}next-auth.csrf-token`,
			`options: {`
			`...defaultOptions,`
			`httpOnly: true,`
			`},`
			`},`
			`pkceCodeVerifier: {`
			name: `${cookiePrefix}next-auth.pkce.code_verifier`,
			`options: {`
			`...defaultOptions,`
			`httpOnly: true,`
			`},`
			`},`
			`state: {`
			name: `${cookiePrefix}next-auth.state`,
			`options: {`
			`...defaultOptions,`
			`httpOnly: true,`
			`},`
			`},`
			`};`
			`}`