Skip to content

Extensive Cookie Configuration #2059

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Extensive Cookie Configuration #2059

wants to merge 3 commits into from

Conversation

tusharpandey13
Copy link
Contributor

@tusharpandey13 tusharpandey13 commented Apr 15, 2025
edited
Loading

Fixes #1889

Changes

This PR introduces enhanced configuration options for session cookies, allowing for finer control over their attributes.

  • Added new SessionCookieOptions:
    • domain: Specifies the Domain attribute for the session cookie.
    • transient: If true, the maxAge attribute is omitted, making the cookie a session cookie (deleted when the browser closes). Defaults to false.
  • Added support for Environment Variables: The SDK now reads the following environment variables to configure session cookies, providing an alternative to direct configuration:
    • AUTH0_COOKIE_DOMAIN
    • AUTH0_COOKIE_PATH
    • AUTH0_COOKIE_TRANSIENT
    • AUTH0_COOKIE_HTTP_ONLY
    • AUTH0_COOKIE_SECURE
    • AUTH0_COOKIE_SAME_SITE
  • Updated setChunkedCookie: Logic adjusted to handle the transient option by omitting maxAge.
  • Updated Auth0Client: Initialization logic now incorporates values from environment variables as defaults if direct configuration is not provided.
  • Updated AbstractSessionStore: Now passes domain and transient options during cookie configuration.

Testing

  • Added comprehensive unit tests in src/server/chunked-cookies.test.ts to verify the correct behavior of the new domain and transient options for both single and chunked cookies.
  • Existing tests pass.

Usage

You can configure the new cookie options either through environment variables or directly in the SDK initialization.

1. Using Environment Variables:

Set the desired environment variables in your .env.local file or your deployment environment:

# .env.local
AUTH0_SECRET='LONG_RANDOM_STRING'
AUTH0_BASE_URL='http://localhost:3000'
AUTH0_ISSUER_BASE_URL='https://your-tenant.auth0.com'
AUTH0_CLIENT_ID='YOUR_AUTH0_CLIENT_ID'
AUTH0_CLIENT_SECRET='YOUR_AUTH0_CLIENT_SECRET'

# New Cookie Options
AUTH0_COOKIE_DOMAIN='.example.com' # Set cookie for subdomains
AUTH0_COOKIE_PATH='/app'          # Limit cookie to /app path
AUTH0_COOKIE_TRANSIENT=true       # Make cookie transient (session-only)
AUTH0_COOKIE_SECURE=true          # Recommended for production
AUTH0_COOKIE_SAME_SITE='Lax'
AUTH0_COOKIE_HTTP_ONLY=true

The SDK will automatically pick up these values.

2. Using Auth0ClientOptions (App Router Example):

Configure the options directly when initializing the client handlers:

// app/api/auth/[auth0]/route.ts
import { handleAuth, handleLogin } from '@auth0/nextjs-auth0';

export const GET = handleAuth({
  login: handleLogin({
    authorizationParams: {
      audience: 'https://api.example.com/products' // or AUTH0_AUDIENCE
    }
  }),
  onError(req: Request, error: Error) {
    console.error(error);
  }
}, {
  session: {
    cookie: {
      domain: '.example.com',
      path: '/app',
      transient: true,
      httpOnly: true,
      secure: process.env.NODE_ENV === 'production',
      sameSite: 'Lax',
      // name: 'appSession', // Optional: custom cookie name
    }
  },
  secret: process.env.AUTH0_SECRET,
  baseURL: process.env.AUTH0_BASE_URL,
  clientID: process.env.AUTH0_CLIENT_ID,
  clientSecret: process.env.AUTH0_CLIENT_SECRET,
  issuerBaseURL: process.env.AUTH0_ISSUER_BASE_URL
});

Note: Options provided directly in Auth0ClientOptions take precedence over environment variables.

@tusharpandey13 tusharpandey13 requested a review from a team as a code owner April 15, 2025 11:25
@codecov-commenter
Copy link

codecov-commenter commented Apr 15, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 88.63636% with 5 lines in your changes missing coverage. Please review.

Project coverage is 78.63%. Comparing base (dbfd502) to head (b20d02a).

Files with missing lines Patch % Lines
src/server/session/stateless-session-store.ts 50.00% 5 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2059      +/-   ##
==========================================
+ Coverage   78.47%   78.63%   +0.16%     
==========================================
  Files          21       21              
  Lines        1909     1924      +15     
  Branches      307      313       +6     
==========================================
+ Hits         1498     1513      +15     
  Misses        405      405              
  Partials        6        6

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

nandan-bhat
nandan-bhat previously approved these changes Apr 15, 2025
View reviewed changes
@tusharpandey13 tusharpandey13 changed the title feature/cookieEnvConfig Extensive Cookie Configuration Apr 16, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nandan-bhat nandan-bhat nandan-bhat approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

v4: Additional cookie configurations
3 participants
@tusharpandey13 @codecov-commenter @nandan-bhat