added cookie config options

tusharpandey13 · tusharpandey13 · commit 3abe77847a35 · 2025-04-15T16:55:26.000+05:30
diff --git a/src/server/chunked-cookies.test.ts b/src/server/chunked-cookies.test.ts
@@ -231,12 +231,204 @@ describe("Chunked Cookie Utils", () => {
       // It is called 3 times.
       // 2 times for the chunks
       // 1 time for the non chunked cookie
-      expect(reqCookies.delete).toHaveBeenCalledTimes(3); 
+      expect(reqCookies.delete).toHaveBeenCalledTimes(3);
       expect(reqCookies.delete).toHaveBeenCalledWith(`${name}__3`);
       expect(reqCookies.delete).toHaveBeenCalledWith(`${name}__4`);
       expect(reqCookies.delete).toHaveBeenCalledWith(name);
     });
 
+    // New tests for domain and transient options
+    it("should set the domain property for a single cookie", () => {
+      const name = "domainCookie";
+      const value = "small value";
+      const options: CookieOptions = {
+        path: "/",
+        domain: "example.com",
+        httpOnly: true,
+        secure: true,
+        sameSite: "lax"
+      };
+
+      setChunkedCookie(name, value, options, reqCookies, resCookies);
+
+      expect(resCookies.set).toHaveBeenCalledTimes(1);
+      expect(resCookies.set).toHaveBeenCalledWith(
+        name,
+        value,
+        expect.objectContaining({ domain: "example.com" })
+      );
+    });
+
+    it("should set the domain property for chunked cookies", () => {
+      const name = "largeDomainCookie";
+      const largeValue = "a".repeat(8000);
+      const options: CookieOptions = {
+        path: "/",
+        domain: "example.com",
+        httpOnly: true,
+        secure: true,
+        sameSite: "lax"
+      };
+
+      setChunkedCookie(name, largeValue, options, reqCookies, resCookies);
+
+      expect(resCookies.set).toHaveBeenCalledTimes(3); // 3 chunks
+      expect(resCookies.set).toHaveBeenNthCalledWith(
+        1,
+        `${name}__0`,
+        expect.any(String),
+        expect.objectContaining({ domain: "example.com" })
+      );
+      expect(resCookies.set).toHaveBeenNthCalledWith(
+        2,
+        `${name}__1`,
+        expect.any(String),
+        expect.objectContaining({ domain: "example.com" })
+      );
+      expect(resCookies.set).toHaveBeenNthCalledWith(
+        3,
+        `${name}__2`,
+        expect.any(String),
+        expect.objectContaining({ domain: "example.com" })
+      );
+    });
+
+    it("should omit maxAge for a single transient cookie", () => {
+      const name = "transientCookie";
+      const value = "small value";
+      const options: CookieOptions = {
+        path: "/",
+        maxAge: 3600,
+        transient: true,
+        httpOnly: true,
+        secure: true,
+        sameSite: "lax"
+      };
+      const expectedOptions = { ...options };
+      delete expectedOptions.maxAge; // maxAge should be removed
+      delete expectedOptions.transient; // transient flag itself is not part of the cookie options
+
+      setChunkedCookie(name, value, options, reqCookies, resCookies);
+
+      expect(resCookies.set).toHaveBeenCalledTimes(1);
+      expect(resCookies.set).toHaveBeenCalledWith(name, value, expectedOptions);
+      expect(resCookies.set).not.toHaveBeenCalledWith(
+        name,
+        value,
+        expect.objectContaining({ maxAge: 3600 })
+      );
+    });
+
+    it("should omit maxAge for chunked transient cookies", () => {
+      const name = "largeTransientCookie";
+      const largeValue = "a".repeat(8000);
+      const options: CookieOptions = {
+        path: "/",
+        maxAge: 3600,
+        transient: true,
+        httpOnly: true,
+        secure: true,
+        sameSite: "lax"
+      };
+      const expectedOptions = { ...options };
+      delete expectedOptions.maxAge; // maxAge should be removed
+      delete expectedOptions.transient; // transient flag itself is not part of the cookie options
+
+      setChunkedCookie(name, largeValue, options, reqCookies, resCookies);
+
+      expect(resCookies.set).toHaveBeenCalledTimes(3); // 3 chunks
+      expect(resCookies.set).toHaveBeenNthCalledWith(
+        1,
+        `${name}__0`,
+        expect.any(String),
+        expectedOptions
+      );
+      expect(resCookies.set).toHaveBeenNthCalledWith(
+        2,
+        `${name}__1`,
+        expect.any(String),
+        expectedOptions
+      );
+      expect(resCookies.set).toHaveBeenNthCalledWith(
+        3,
+        `${name}__2`,
+        expect.any(String),
+        expectedOptions
+      );
+      expect(resCookies.set).not.toHaveBeenCalledWith(
+        expect.any(String),
+        expect.any(String),
+        expect.objectContaining({ maxAge: 3600 })
+      );
+    });
+
+    it("should include maxAge for a single non-transient cookie", () => {
+      const name = "nonTransientCookie";
+      const value = "small value";
+      const options: CookieOptions = {
+        path: "/",
+        maxAge: 3600,
+        transient: false,
+        httpOnly: true,
+        secure: true,
+        sameSite: "lax"
+      };
+      const expectedOptions = { ...options };
+      delete expectedOptions.transient; // transient flag itself is not part of the cookie options
+
+      setChunkedCookie(name, value, options, reqCookies, resCookies);
+
+      expect(resCookies.set).toHaveBeenCalledTimes(1);
+      expect(resCookies.set).toHaveBeenCalledWith(name, value, expectedOptions);
+      expect(resCookies.set).toHaveBeenCalledWith(
+        name,
+        value,
+        expect.objectContaining({ maxAge: 3600 })
+      );
+    });
+
+    it("should include maxAge for chunked non-transient cookies", () => {
+      const name = "largeNonTransientCookie";
+      const largeValue = "a".repeat(8000);
+      const options: CookieOptions = {
+        path: "/",
+        maxAge: 3600,
+        transient: false,
+        httpOnly: true,
+        secure: true,
+        sameSite: "lax"
+      };
+      const expectedOptions = { ...options };
+      delete expectedOptions.transient; // transient flag itself is not part of the cookie options
+
+      setChunkedCookie(name, largeValue, options, reqCookies, resCookies);
+
+      expect(resCookies.set).toHaveBeenCalledTimes(3); // 3 chunks
+      expect(resCookies.set).toHaveBeenNthCalledWith(
+        1,
+        `${name}__0`,
+        expect.any(String),
+        expectedOptions
+      );
+      expect(resCookies.set).toHaveBeenNthCalledWith(
+        2,
+        `${name}__1`,
+        expect.any(String),
+        expectedOptions
+      );
+      expect(resCookies.set).toHaveBeenNthCalledWith(
+        3,
+        `${name}__2`,
+        expect.any(String),
+        expectedOptions
+      );
+      expect(resCookies.set).toHaveBeenCalledWith(
+        expect.any(String),
+        expect.any(String),
+        expect.objectContaining({ maxAge: 3600 })
+      );
+    });
+
     describe("getChunkedCookie", () => {
       it("should return undefined when cookie does not exist", () => {
         const result = getChunkedCookie("nonexistent", reqCookies);
diff --git a/src/server/client.ts b/src/server/client.ts
@@ -197,9 +197,22 @@ export class Auth0Client {
 
     const sessionCookieOptions: SessionCookieOptions = {
       name: options.session?.cookie?.name ?? "__session",
-      secure: options.session?.cookie?.secure ?? false,
-      sameSite: options.session?.cookie?.sameSite ?? "lax",
-      path: options.session?.cookie?.path ?? "/"
+      secure:
+        options.session?.cookie?.secure ??
+        process.env.AUTH0_COOKIE_SECURE === "true",
+      sameSite:
+        options.session?.cookie?.sameSite ??
+        (process.env.AUTH0_COOKIE_SAME_SITE as "lax" | "strict" | "none") ??
+        "lax",
+      path:
+        options.session?.cookie?.path ?? process.env.AUTH0_COOKIE_PATH ?? "/",
+      httpOnly:
+        options.session?.cookie?.httpOnly ??
+        process.env.AUTH0_COOKIE_HTTP_ONLY !== "false",
+      transient:
+        options.session?.cookie?.transient ??
+        process.env.AUTH0_COOKIE_TRANSIENT === "true",
+      domain: options.session?.cookie?.domain ?? process.env.AUTH0_COOKIE_DOMAIN
     };
 
     const transactionCookieOptions: TransactionCookieOptions = {
diff --git a/src/server/cookies.ts b/src/server/cookies.ts
@@ -113,6 +113,8 @@ export interface CookieOptions {
   secure: boolean;
   path: string;
   maxAge?: number;
+  domain?: string;
+  transient?: boolean;
 }
 
 export type ReadonlyRequestCookies = Omit<
@@ -178,16 +180,23 @@ export function setChunkedCookie(
   reqCookies: RequestCookies,
   resCookies: ResponseCookies
 ): void {
+  const { transient, ...restOptions } = options;
+  const finalOptions = { ...restOptions };
+
+  if (transient) {
+    delete finalOptions.maxAge;
+  }
+
   const valueBytes = new TextEncoder().encode(value).length;
 
   // If value fits in a single cookie, set it directly
   if (valueBytes <= MAX_CHUNK_SIZE) {
-    resCookies.set(name, value, options);
+    resCookies.set(name, value, finalOptions);
     // to enable read-after-write in the same request for middleware
     reqCookies.set(name, value);
 
     // When we are writing a non-chunked cookie, we should remove the chunked cookies
-    getAllChunkedCookies(reqCookies, name).forEach(cookieChunk => {
+    getAllChunkedCookies(reqCookies, name).forEach((cookieChunk) => {
       resCookies.delete(cookieChunk.name);
       reqCookies.delete(cookieChunk.name);
     });
@@ -203,7 +212,7 @@ export function setChunkedCookie(
     const chunk = value.slice(position, position + MAX_CHUNK_SIZE);
     const chunkName = `${name}${CHUNK_PREFIX}${chunkIndex}`;
 
-    resCookies.set(chunkName, chunk, options);
+    resCookies.set(chunkName, chunk, finalOptions);
     // to enable read-after-write in the same request for middleware
     reqCookies.set(chunkName, chunk);
     position += MAX_CHUNK_SIZE;
@@ -223,9 +232,9 @@ export function setChunkedCookie(
     }
   }
 
-   // When we have written chunked cookies, we should remove the non-chunked cookie
-   resCookies.delete(name);
-   reqCookies.delete(name);
+  // When we have written chunked cookies, we should remove the non-chunked cookie
+  resCookies.delete(name);
+  reqCookies.delete(name);
 }
 
 /**
diff --git a/src/server/session/abstract-session-store.ts b/src/server/session/abstract-session-store.ts
@@ -29,6 +29,20 @@ export interface SessionCookieOptions {
    * The path attribute of the session cookie. Will be set to '/' by default.
    */
   path?: string;
+  /**
+   * Specifies the value for the {@link https://tools.ietf.org/html/rfc6265#section-5.2.3|Domain Set-Cookie attribute}. By default, no
+   * domain is set, and most clients will consider the cookie to apply to only
+   * the current domain.
+   */
+  domain?: string;
+  /**
+   * The httpOnly attribute of the session cookie. When true, the cookie is not accessible via JavaScript.
+   */
+  httpOnly?: boolean;
+  /**
+   * The transient attribute of the session cookie. When true, the cookie will not persist beyond the current session.
+   */
+  transient?: boolean;
 }
 
 export interface SessionConfiguration {
@@ -107,7 +121,9 @@ export abstract class AbstractSessionStore {
       httpOnly: true,
       sameSite: cookieOptions?.sameSite ?? "lax",
       secure: cookieOptions?.secure ?? false,
-      path: cookieOptions?.path ?? "/"
+      path: cookieOptions?.path ?? "/",
+      domain: cookieOptions?.domain,
+      transient: cookieOptions?.transient
     };
   }
 
diff --git a/src/server/session/stateless-session-store.ts b/src/server/session/stateless-session-store.ts
@@ -1,7 +1,6 @@
-import { CookieOptions, ConnectionTokenSet, SessionData } from "../../types";
-
 import type { JWTPayload } from "jose";
 
+import { ConnectionTokenSet, CookieOptions, SessionData } from "../../types";
 import * as cookies from "../cookies";
 import {
   AbstractSessionStore,
@@ -55,25 +54,26 @@ export class StatelessSessionStore extends AbstractSessionStore {
       SessionData | LegacySessionPayload
     >(cookieValue, this.secret);
 
-    const normalizedStatelessSession = normalizeStatelessSession(originalSession);
+    const normalizedStatelessSession =
+      normalizeStatelessSession(originalSession);
 
     // As connection access tokens are stored in seperate cookies,
     // we need to get all cookies and only use those that are prefixed with `this.connectionTokenSetsCookieName`
     const connectionTokenSets = await Promise.all(
-      this.getConnectionTokenSetsCookies(reqCookies).map(
-        (cookie) =>
-          cookies.decrypt<ConnectionTokenSet>(
-            cookie.value,
-            this.secret
-          )
+      this.getConnectionTokenSetsCookies(reqCookies).map((cookie) =>
+        cookies.decrypt<ConnectionTokenSet>(cookie.value, this.secret)
       )
     );
 
     return {
       ...normalizedStatelessSession,
       // Ensure that when there are no connection token sets, we omit the property.
       ...(connectionTokenSets.length
-        ? { connectionTokenSets: connectionTokenSets.map(tokenSet => tokenSet.payload) }
+        ? {
+            connectionTokenSets: connectionTokenSets.map(
+              (tokenSet) => tokenSet.payload
+            )
+          }
         : {})
     };
   }
@@ -117,7 +117,7 @@ export class StatelessSessionStore extends AbstractSessionStore {
         )
       );
     }
-    
+
     // Any existing v3 cookie can be deleted as soon as we have set a v4 cookie.
     // In stateless sessions, we do have to ensure we delete all chunks.
     cookies.deleteChunkedCookie(LEGACY_COOKIE_NAME, reqCookies, resCookies);
@@ -127,11 +127,7 @@ export class StatelessSessionStore extends AbstractSessionStore {
     reqCookies: cookies.RequestCookies,
     resCookies: cookies.ResponseCookies
   ) {
-    cookies.deleteChunkedCookie(
-      this.sessionCookieName,
-      reqCookies,
-      resCookies
-    );
+    cookies.deleteChunkedCookie(this.sessionCookieName, reqCookies, resCookies);
 
     this.getConnectionTokenSetsCookies(reqCookies).forEach((cookie) =>
       resCookies.delete(cookie.name)
@@ -177,7 +173,6 @@ export class StatelessSessionStore extends AbstractSessionStore {
             "You can use a stateful session implementation to store the session data in a data store."
         );
       }
-      
     }
   }
 
