fix(authentication): safari cannot login on remote lianas because of third party cookies (#435)

Author: ghusse

app/controllers/forest_liana/authentication_controller.rb

@@ -61,28 +61,12 @@ def authentication_callback
           callback_url,
           params,
         )
-    
-        response.set_cookie(
-          'forest_session_token',
-          {
-            value: token,
-            httponly: true,
-            secure: true,
-            expires: ForestLiana::Token.expiration_in_days,
-            same_site: :None,
-            path: '/'
-          },
-        )
 
         response_body = {
+          token: token,
           tokenData: JWT.decode(token, ForestLiana.auth_secret, true, { algorithm: 'HS256' })[0]
         }
 
-        # The token is sent decoded, because we don't want to share the whole, signed token
-        # that is used to authenticate people
-        # but the token itself contains interesting values, such as its expiration date
-        response_body[:token] = token if !ForestLiana.application_url.start_with?('https://')
-
         render json: response_body, status: 200
 
       rescue => error

spec/requests/authentications_spec.rb

@@ -60,10 +60,9 @@
     end
 
     it "should return a valid authentication token" do
-      session_cookie = response.headers['set-cookie']
-      expect(session_cookie).to match(/^forest_session_token=[^;]+; path=\/; expires=[^;]+; secure; HttpOnly; SameSite=None$/)
+      body = JSON.parse(response.body, :symbolize_names => true);
 
-      token = session_cookie.match(/^forest_session_token=([^;]+);/)[1]
+      token = body[:token]
       decoded = JWT.decode(token, ForestLiana.auth_secret, true, { algorithm: 'HS256' })[0]
 
       expected_token_data = {
@@ -76,31 +75,18 @@
       }
 
       expect(decoded).to include(expected_token_data)
-      expect(JSON.parse(response.body, :symbolize_names => true)).to eq({ token: token, tokenData: decoded.deep_symbolize_keys! })
+      expect(body).to eq({ token: token, tokenData: decoded.deep_symbolize_keys! })
       expect(response).to have_http_status(200)
     end
   end
 
   describe "POST /authentication/logout" do
     before() do 
-      cookies['forest_session_token'] = {
-        value: 'eyJhbGciOiJIUzI1NiJ9.eyJpZCI6NjY2LCJlbWFpbCI6ImFsaWNlQGZvcmVzdGFkbWluLmNvbSIsImZpcnN0X25hbWUiOiJBbGljZSIsImxhc3RfbmFtZSI6IkRvZSIsInRlYW0iOjEsInJlbmRlcmluZ19pZCI6IjQyIiwiZXhwIjoxNjA4MDQ5MTI2fQ.5xaMxjUjE3wKldBsj3wW0BP9GHnnMqQi2Kpde8cIHEw',
-        path: '/',
-        expires: Time.now.to_i + 14.days,
-        secure: true,
-        httponly: true
-      }
       post ForestLiana::Engine.routes.url_helpers.authentication_logout_path, params: { :renderingId => 42 }, :headers => headers
-      cookies.delete('forest_session_token')
     end
 
     it "should respond with a 204 code" do
       expect(response).to have_http_status(204)
     end
-
-    it "should invalidate token from browser" do
-      invalidated_session_cookie = response.headers['set-cookie']
-      expect(invalidated_session_cookie).to match(/^forest_session_token=[^;]+; path=\/; expires=Thu, 01 Jan 1970 00:00:00 GMT; secure; HttpOnly; SameSite=None$/)
-    end
   end
 end