Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(adapter-nextjs): set cookie secure: false with non-SSL domain #13841

Merged
merged 3 commits into from
Jan 3, 2025
Merged

feat(adapter-nextjs): set cookie secure: false with non-SSL domain #13841

merged 3 commits into from
Jan 3, 2025

Conversation

HuiSF
Copy link
Member

@HuiSF HuiSF commented Sep 23, 2024

Description of changes

  1. Set secure: false with non-SSL domains
  2. Add validation of the origin string

Issue #, if available

Description of how you validated changes

  • Unit tests

Checklist

  • PR description included
  • yarn test passes
  • Unit Tests are changed or added
  • Relevant documentation is changed or added (and PR referenced)

Checklist for repo maintainers

  • Verify E2E tests for existing workflows are working as expected or add E2E tests for newly added workflows
  • New source file paths included in this PR have been added to CODEOWNERS, if appropriate

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@HuiSF HuiSF force-pushed the hui/fix/adapter-nextjs/5-handler-type-def branch from 7a35370 to 0779333 Compare October 1, 2024 23:03
@HuiSF HuiSF requested a review from a team as a code owner October 1, 2024 23:03
@HuiSF HuiSF force-pushed the hui/feat/adapter-nextjs/6-secure-for-non-ssl branch from 6edd287 to 72693a6 Compare October 1, 2024 23:04
AllanZhengYP
AllanZhengYP approved these changes Oct 14, 2024
View reviewed changes
packages/adapter-nextjs/src/auth/utils/isValidOrigin.ts Outdated

// a regular expression that validates the origin string to be any valid origin, and allowing local development localhost
const originRegex =
/^(http:\/\/localhost(:\d{1,5})?)|(https?:\/\/[a-z0-9-]+(\.[a-z0-9-]+)*(:\d{1,5})?)$/;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this regex sourced from any spec? If so, it'd be better to attach the source.

@HuiSF HuiSF force-pushed the hui/fix/adapter-nextjs/5-handler-type-def branch from 0779333 to ccca0a9 Compare November 21, 2024 17:07
@HuiSF HuiSF requested a review from pranavosu as a code owner November 21, 2024 17:07
@HuiSF HuiSF force-pushed the hui/feat/adapter-nextjs/6-secure-for-non-ssl branch from 72693a6 to 9c80fa4 Compare November 21, 2024 17:08
@jjarvisp jjarvisp self-requested a review December 5, 2024 22:50
jjarvisp
jjarvisp reviewed Dec 5, 2024
View reviewed changes
Copy link
Member

@jjarvisp jjarvisp left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Discussed async about inverting isNonSSLOrigin result

packages/adapter-nextjs/src/auth/utils/isValidOrigin.ts Outdated Show resolved Hide resolved
@jjarvisp jjarvisp self-requested a review December 11, 2024 22:37
@HuiSF HuiSF force-pushed the hui/fix/adapter-nextjs/5-handler-type-def branch from ccca0a9 to 554c470 Compare December 27, 2024 17:17
@HuiSF HuiSF requested a review from sktimalsina as a code owner December 27, 2024 17:17
@HuiSF HuiSF force-pushed the hui/feat/adapter-nextjs/6-secure-for-non-ssl branch from 9c80fa4 to 24fba6f Compare December 27, 2024 22:18
@HuiSF HuiSF force-pushed the hui/fix/adapter-nextjs/5-handler-type-def branch from 554c470 to 834215f Compare January 2, 2025 22:14
@HuiSF HuiSF force-pushed the hui/feat/adapter-nextjs/6-secure-for-non-ssl branch from 43e6b22 to 48e7052 Compare January 2, 2025 22:15
@HuiSF HuiSF force-pushed the hui/fix/adapter-nextjs/5-handler-type-def branch from 834215f to 93d43cc Compare January 2, 2025 23:44
@HuiSF HuiSF force-pushed the hui/feat/adapter-nextjs/6-secure-for-non-ssl branch from 48e7052 to 6852abb Compare January 2, 2025 23:46
ashika112
ashika112 reviewed Jan 3, 2025
View reviewed changes
packages/adapter-nextjs/src/auth/utils/origin.ts
// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

// a regular expression that validates the origin string to be any valid origin, and allowing local development localhost
Copy link
Member

@ashika112 ashika112 Jan 3, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: a explanation of what is expected or what standard it follows in the comment would help

ashika112
ashika112 reviewed Jan 3, 2025
View reviewed changes
packages/adapter-nextjs/src/auth/utils/tokenCookies.ts
@@ -56,11 +56,12 @@ export const createTokenRemoveCookies = (keys: string[]) =>

export const createTokenCookiesSetOptions = (
setCookieOptions: CookieStorage.SetCookieOptions,
overrides?: Pick<CookieStorage.SetCookieOptions, 'secure'>,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

curious: why is this overrides introduced now?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is for setting secure: false when local dev server is detected - with server-side auth flows, all cookies beings set have attribute secure: true by default and secure attribute is not a configurable fields on the public interface for now.

Base automatically changed from hui/fix/adapter-nextjs/5-handler-type-def to feat/server-auth/main January 3, 2025 20:12
@HuiSF HuiSF force-pushed the hui/feat/adapter-nextjs/6-secure-for-non-ssl branch from f7771ce to ce16bcd Compare January 3, 2025 20:18
@HuiSF HuiSF merged commit f1a44ab into feat/server-auth/main Jan 3, 2025
1 check passed
@HuiSF HuiSF deleted the hui/feat/adapter-nextjs/6-secure-for-non-ssl branch January 3, 2025 20:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jjarvisp jjarvisp jjarvisp approved these changes

@ashika112 ashika112 ashika112 approved these changes

@AllanZhengYP AllanZhengYP AllanZhengYP approved these changes

@ukhan-amazon ukhan-amazon Awaiting requested review from ukhan-amazon

@haverchuck haverchuck Awaiting requested review from haverchuck

@cshfang cshfang Awaiting requested review from cshfang cshfang is a code owner

@jimblanc jimblanc Awaiting requested review from jimblanc

@pranavosu pranavosu Awaiting requested review from pranavosu pranavosu is a code owner

@sktimalsina sktimalsina Awaiting requested review from sktimalsina sktimalsina is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@HuiSF @AllanZhengYP @ashika112 @jjarvisp