refactor(adapter-nextjs): use maxAge attribute to set cookie from server to avoid clock drift #14103
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
HuiSF
requested review from
sktimalsina,
cshfang,
pranavosu and
a team
as code owners
AllanZhengYP
approved these changes
Dec 31, 2024
| @@ -22,5 +22,6 @@ export const PKCE_COOKIE_NAME = 'com.amplify.server_auth.pkce'; | |||
| export const STATE_COOKIE_NAME = 'com.amplify.server_auth.state'; | |||
| export const IS_SIGNING_OUT_COOKIE_NAME = | |||
| 'com.amplify.server_auth.isSigningOut'; | |||
| export const AUTH_FLOW_PROOF_COOKIE_EXPIRY = 10 * 60 * 1000; // 10 mins | |||
| export const AUTH_FLOW_PROOF_MAX_AGE = 10 * 60; // 10 mins in seconds | |||
| export const REMOVE_COOKIE_MAX_AGE = -1; // -1 to remove the cookie immediately (0 ==> session cookie) | |||
There was a problem hiding this comment.
(0 ==> session cookie)
I'm curious whether this is a common behavior by the specs
There was a problem hiding this comment.
According to MDN setting 0 should also make the cookie expire immediately - however, when I set the cookie from the server with 0, the cookie gets marked as session, and remaining in cookie store until closing the tab.
HuiSF
force-pushed
the
hui/feat/adapter-nextjs/6-secure-for-non-ssl
branch
from
43e6b22 to
48e7052
Compare
HuiSF
force-pushed
the
hui/feat/adapter-nextjs/7-use-max-age
branch
from
c850f31 to
ab50e6c
Compare
HuiSF
force-pushed
the
hui/feat/adapter-nextjs/6-secure-for-non-ssl
branch
from
48e7052 to
6852abb
Compare
HuiSF
force-pushed
the
hui/feat/adapter-nextjs/7-use-max-age
branch
from
ab50e6c to
61fd1d6
Compare
HuiSF
force-pushed
the
hui/feat/adapter-nextjs/6-secure-for-non-ssl
branch
from
f7771ce to
ce16bcd
Compare
Base automatically changed from
hui/feat/adapter-nextjs/6-secure-for-non-ssl
to
feat/server-auth/main
January 3, 2025 20:18
…ver to avoid clock drift
HuiSF
force-pushed
the
hui/feat/adapter-nextjs/7-use-max-age
branch
from
61fd1d6 to
9069ee7
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description of changes
Use
maxAgecookie attribute to set cookies from the server side to avoid clock drift issues.Since the access token usage are carried onto the server-side, and tokens expiries check and refresh are all performed on the server side of a Next.js app, the client-side incorrect system time becomes irrelevant.
Issue #, if available
Description of how you validated changes
Checklist
yarn testpassesChecklist for repo maintainers
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.