fix: sent cookies with sameSite=none

So Chrome will include it in cross-site requests
distributeaid · Sep 13, 2021 · 080fd5d · 080fd5d
1 parent 5199cfe
commit 080fd5d
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 2 deletions.
diff --git a/src/authenticateRequest.ts b/src/authenticateRequest.ts
@@ -60,6 +60,7 @@ export const authCookie = (
     secure: true,
     httpOnly: true,
     expires: new Date(Date.now() + lifetimeInMinutes * 60 * 1000),
+    sameSite: 'none',
   },
 ]
 
@@ -72,6 +73,7 @@ export const expireAuthCookie = (): [string, string, CookieOptions] => [
     secure: true,
     httpOnly: true,
     expires: new Date(Date.now() - 60 * 1000),
+    sameSite: 'none',
   },
 ]
 

diff --git a/src/tests/authentication.test.ts b/src/tests/authentication.test.ts
@@ -149,7 +149,11 @@ describe('User account API', () => {
 
       const cookieInfo = parseCookie(res.header['set-cookie'][0] as string)
       expect(cookieInfo[authCookieName]).toBeDefined()
-      expect(cookieInfo.options).toMatchObject({ Path: '/', HttpOnly: true })
+      expect(cookieInfo.options).toMatchObject({
+        Path: '/',
+        HttpOnly: true,
+        sameSite: 'none',
+      })
       const expiresIn =
         new Date(cookieInfo.options.Expires).getTime() - Date.now()
       expect(expiresIn).toBeLessThan(30 * 60 * 1000)
@@ -207,7 +211,11 @@ describe('User account API', () => {
           .expect(204)
         const cookieInfo = parseCookie(res.header['set-cookie'][0] as string)
         expect(cookieInfo[authCookieName]).toBeDefined()
-        expect(cookieInfo.options).toMatchObject({ Path: '/', HttpOnly: true })
+        expect(cookieInfo.options).toMatchObject({
+          Path: '/',
+          HttpOnly: true,
+          sameSite: 'none',
+        })
         const expiresIn =
           new Date(cookieInfo.options.Expires).getTime() - Date.now()
         expect(expiresIn).toBeLessThan(0) // Expires is in the past