use LAX cookie

charmverse · Oct 21, 2024 · f535a4b · f535a4b
1 parent 0ed0cd6
commit f535a4b
Show file tree

Hide file tree

Showing 5 changed files with 32 additions and 4 deletions.
diff --git a/@connect-shared/lib/session/config.ts b/@connect-shared/lib/session/config.ts
@@ -8,5 +8,6 @@ export type SessionData = {
 
 export function getIronOptions() {
   const cookieName = process.env.AUTH_COOKIE || getIronOptionsRoot().cookieName;
-  return { ...getIronOptionsRoot(), cookieName };
+  // "LAX" allows us to redirect users to the app from other websites/emails while they are logged in
+  return { ...getIronOptionsRoot({ sameSite: 'lax' }), cookieName };
 }
diff --git a/apps/scoutgame/app/api/login-dev/route.ts b/apps/scoutgame/app/api/login-dev/route.ts
@@ -32,7 +32,7 @@ export async function GET(request: Request) {
 
   const cookieName = process.env.AUTH_COOKIE || getIronOptions().cookieName;
 
-  response.headers.set('Set-Cookie', `${cookieName}=${sealedSession}; HttpOnly; Secure; SameSite=Strict; Path=/`);
+  response.headers.set('Set-Cookie', `${cookieName}=${sealedSession}; HttpOnly; Secure; SameSite=Lax; Path=/`);
 
   return response;
 }
diff --git a/apps/scoutgame/app/api/session/refresh/route.ts b/apps/scoutgame/app/api/session/refresh/route.ts
@@ -7,6 +7,10 @@ import type { NextRequest } from 'next/server';
 // This API Route is non-blocking and called on every page load. Use it to refresh things about the current user
 export async function GET(req: NextRequest) {
   const session = await getSession();
+
+  // save session to update the LAX cookie
+  await session.save();
+
   const userId = session.scoutId;
   if (userId) {
     const scout = await prisma.scout.findUnique({

diff --git a/apps/scoutgame/components/login/LoginPage.tsx b/apps/scoutgame/components/login/LoginPage.tsx
@@ -1,13 +1,33 @@
+'use client';
+
+import { log } from '@charmverse/core/log';
 import { Box, Typography } from '@mui/material';
 import Image from 'next/image';
+import { useRouter } from 'next/navigation';
+import { createContext, useEffect, useContext, useMemo, useState } from 'react';
 
 import { SinglePageLayout } from 'components/common/Layout';
 import { WarpcastLogin } from 'components/common/WarpcastLogin/WarpcastLogin';
 import { InfoBackgroundImage } from 'components/layout/InfoBackgroundImage';
+import { useGetUserTrigger } from 'hooks/api/session';
 
 import { LaunchDate } from './LaunchDate';
 
 export function LoginPage() {
+  const { trigger: triggerReload } = useGetUserTrigger();
+  const router = useRouter();
+  // HACK: Remove this after we change session cookies to LAX
+  useEffect(() => {
+    async function loadUser() {
+      const updated = await triggerReload();
+      if (updated) {
+        log.info('Redirect user to profile from login page', { userId: updated.id });
+        router.push('/profile?tab=win');
+      }
+    }
+    loadUser();
+  }, []);
+
   return (
     <>
       <InfoBackgroundImage />

diff --git a/lib/session/getIronOptions.ts b/lib/session/getIronOptions.ts
@@ -3,15 +3,18 @@ import type { SessionOptions } from 'iron-session';
 
 // import the "optional" auth secret here so it doesnt throw an error at build time
 
-export function getIronOptions({ domain }: { domain?: string } = {}): SessionOptions {
+export function getIronOptions({
+  domain,
+  sameSite = 'strict'
+}: { domain?: string; sameSite?: 'lax' | 'strict' } = {}): SessionOptions {
   if (!authSecret) {
     throw new Error('AUTH_SECRET is not defined');
   }
   const ironOptions: SessionOptions = {
     cookieName,
     password: authSecret,
     cookieOptions: {
-      sameSite: 'strict' as const,
+      sameSite,
       domain,
       // secure: true should be used in production (HTTPS) but can't be used in development (HTTP)
       secure: typeof baseUrl === 'string' && baseUrl.includes('https')