From 89a133ea59f42ec23aec9a98fb3f852562e61f41 Mon Sep 17 00:00:00 2001
From: Tom Moor <tom.moor@gmail.com>
Date: Sat, 24 Sep 2022 21:46:25 -0400
Subject: [PATCH] Add sameSite attribute for auth cookies

---
 server/routes/auth/index.ts    | 1 +
 server/utils/authentication.ts | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/server/routes/auth/index.ts b/server/routes/auth/index.ts
index 974df0335583..a0860f8e7e83 100644
--- a/server/routes/auth/index.ts
+++ b/server/routes/auth/index.ts
@@ -35,6 +35,7 @@ router.get("/redirect", auth(), async (ctx) => {
 
   ctx.cookies.set("accessToken", jwtToken, {
     httpOnly: false,
+    sameSite: true,
     expires: addMonths(new Date(), 3),
   });
   const [team, collection, view] = await Promise.all([
diff --git a/server/utils/authentication.ts b/server/utils/authentication.ts
index e3983a163faa..ca0560c27909 100644
--- a/server/utils/authentication.ts
+++ b/server/utils/authentication.ts
@@ -74,6 +74,7 @@ export async function signIn(
   // only used to display a UI hint for the user for next time
   ctx.cookies.set("lastSignedIn", service, {
     httpOnly: false,
+    sameSite: true,
     expires: new Date("2100"),
     domain,
   });
@@ -101,6 +102,7 @@ export async function signIn(
     ctx.redirect(`${team.url}/auth/redirect?token=${user.getTransferToken()}`);
   } else {
     ctx.cookies.set("accessToken", user.getJwtToken(), {
+      sameSite: true,
       httpOnly: false,
       expires,
     });