Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cookies being delete in Vercel endpoint function #8409

Closed
1 task done
matoous opened this issue Sep 4, 2023 · 1 comment
Closed
1 task done

Cookies being delete in Vercel endpoint function #8409

matoous opened this issue Sep 4, 2023 · 1 comment
Labels
needs triage Issue needs to be triaged

Comments

@matoous
Copy link

matoous commented Sep 4, 2023

Astro Info

Astro                    v3.0.8
Node                     v18.17.1
System                   macOS (x64)
Package Manager          npm
Output                   hybrid
Adapter                  @astrojs/vercel/serverless
Integrations             @astrojs/markdoc
                         @astrojs/react

If this issue only occurs in one browser, which browser is a problem?

No response

Describe the Bug

I have an auth flow consisting of several endpoint functions. For this specific bug two of them are important.

src/pages/auth/login.ts:

export const prerender = false;

import {
  defaultCookieOptions,
  getAuthorizationUrl,
  OIDC_COOKIES,
} from "@lib/auth.ts";
import type { APIRoute } from "astro";
import { generateRandomCodeVerifier } from "oauth4webapi";

export const GET: APIRoute = async ({ redirect, cookies }) => {
  const code_verifier = generateRandomCodeVerifier();
  cookies.set(OIDC_COOKIES.CodeVerifier, code_verifier, defaultCookieOptions);

  cookies.set(OIDC_COOKIES.State, 'placeholder', defaultCookieOptions);

  const authorizationUrl = await getAuthorizationUrl(code_verifier, state);
  return redirect(authorizationUrl.toString());
};

and src/pages/auth/callback.ts:

export const prerender = false;

import {
  autoDiscovery,
  client,
  defaultCookieOptions,
  OIDC_COOKIES,
} from "@lib/auth.ts";
import type { APIRoute } from "astro";
import {
  authorizationCodeGrantRequest,
  getValidatedIdTokenClaims,
  isOAuth2Error,
  processAuthorizationCodeOpenIDResponse,
  validateAuthResponse,
} from "oauth4webapi";

export const GET: APIRoute = async ({ redirect, cookies, url }) => {
  const currentUrl = new URL(url);

  const state = cookies.get(OIDC_COOKIES.State);
  if (!state) {
    throw new Error("Missing state");
  }

  const codeVerifier = cookies.get(OIDC_COOKIES.CodeVerifier);
  if (!codeVerifier) {
    throw new Error("Missing code_verifier");
  }

  const params = validateAuthResponse(
    autoDiscovery,
    client,
    currentUrl,
    state.value,
  );

  const response = await authorizationCodeGrantRequest(
    autoDiscovery,
    client,
    params,
    import.meta.env.OIDC_CALLBACK,
    codeVerifier.value,
  );

  const tokenSet = await processAuthorizationCodeOpenIDResponse(
    autoDiscovery,
    client,
    response,
  );

  cookies.set(OIDC_COOKIES.Token, tokenSet.access_token, defaultCookieOptions);

  if (tokenSet.refresh_token) {
    cookies.set(
      OIDC_COOKIES.RefreshToken,
      tokenSet.refresh_token,
      defaultCookieOptions,
    );
  }

  if (tokenSet.id_token) {
    cookies.set(OIDC_COOKIES.IDToken, tokenSet.id_token, defaultCookieOptions);
  }

  const claims = getValidatedIdTokenClaims(tokenSet);
  cookies.set(
    OIDC_COOKIES.Claims,
    JSON.stringify(claims),
    defaultCookieOptions,
  );

  return redirect("/");
};

When deploying this on Vercel the first login page successfuly sets the cookies and redirects to the SSO but the second function instead deletes all cookies:

Screen Shot 2023-09-04 at 20 36 48

During local development this works fine. The interesting part is that the second function deletes all cookies, even those that weren't touched in anyway during the function execution.

The above function use following cookie configuration:

export const defaultCookieOptions: CookieOptions = {
  httpOnly: true,
  sameSite: "lax",
  secure: true,
  path: "/",
};

What's the expected result?

I would expect the callback.ts endpoint but be able to set the cookies just as the login.ts endpoint.

Link to Minimal Reproducible Example

I can spend some time on this in follow-up days but given that this issue occures only when deploying to vercel this is slightly more complex. Opening this in the meantime in case somebody encountered the same issue and/or knows what might be the cause.

Participation

  • I am willing to submit a pull request for this issue.
@github-actions github-actions bot added the needs triage Issue needs to be triaged label Sep 4, 2023
@matoous matoous closed this as completed Sep 4, 2023
@matoous
Copy link
Author

matoous commented Sep 4, 2023

So the issue seemed to be with routes src/pages/auth/logout/callback.ts and src/pages/auth/callback.ts getting bundled into one function and logout taking precedence, closing as a duplicate of: #8401

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
needs triage Issue needs to be triaged
Projects
None yet
Development

No branches or pull requests

1 participant