Add sameSite attribute for auth cookies

outline · Sep 25, 2022 · 89a133e · 89a133e
1 parent 61a8230
commit 89a133e
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 0 deletions.
diff --git a/server/routes/auth/index.ts b/server/routes/auth/index.ts
@@ -35,6 +35,7 @@ router.get("/redirect", auth(), async (ctx) => {
 
   ctx.cookies.set("accessToken", jwtToken, {
     httpOnly: false,
+    sameSite: true,
     expires: addMonths(new Date(), 3),
   });
   const [team, collection, view] = await Promise.all([

diff --git a/server/utils/authentication.ts b/server/utils/authentication.ts
@@ -74,6 +74,7 @@ export async function signIn(
   // only used to display a UI hint for the user for next time
   ctx.cookies.set("lastSignedIn", service, {
     httpOnly: false,
+    sameSite: true,
     expires: new Date("2100"),
     domain,
   });
@@ -101,6 +102,7 @@ export async function signIn(
     ctx.redirect(`${team.url}/auth/redirect?token=${user.getTransferToken()}`);
   } else {
     ctx.cookies.set("accessToken", user.getJwtToken(), {
+      sameSite: true,
       httpOnly: false,
       expires,
     });