feat: allow default cookie options to be overridden (#223)

* feat: allow default cookie options to be overwritten

* docs: document cookie options override

* Update index.js

Co-authored-by: Uzlopak <[email protected]>

* refactor cookie opts declaration

* test: add test cases

* improve typings

* simplify

* use CookieSerializeOptions

---------

Co-authored-by: Stephen Sweetland <[email protected]>
Co-authored-by: Uzlopak <[email protected]>

Author: 3 people

README.md

@@ -61,6 +61,18 @@ fastify.register(require('@fastify/cookie'), cookieOptions)
 fastify.register(oauthPlugin, oauthOptions)
 ```
 
+Cookies are by default `httpOnly`, `sameSite: Lax`. If this does not suit your use case, it is possible to override the default cookie settings by providing options in the configuration object, for example
+
+```js
+fastify.register(oauthPlugin, {
+  ...,
+  cookie: {
+    secure: true,
+    sameSite: 'none'
+  }
+})
+```
+
 ### Preset configurations
 
 You can choose some default setup to assign to `auth` option.

index.js

@@ -61,6 +61,9 @@ function fastifyOauth2 (fastify, options, next) {
   if (options.schema && typeof options.schema !== 'object') {
     return next(new Error('options.schema should be a object'))
   }
+  if (options.cookie && typeof options.cookie !== 'object') {
+    return next(new Error('options.cookie should be an object'))
+  }
 
   if (!fastify.hasReplyDecorator('cookie')) {
     fastify.register(require('@fastify/cookie'))
@@ -78,14 +81,12 @@ function fastifyOauth2 (fastify, options, next) {
   const startRedirectPath = options.startRedirectPath
   const tags = options.tags || []
   const schema = options.schema || { tags }
+  const cookieOpts = Object.assign({ httpOnly: true, sameSite: 'lax' }, options.cookie)
 
   function generateAuthorizationUri (request, reply) {
     const state = generateStateFunction(request)
 
-    reply.setCookie('oauth2-redirect-state', state, {
-      httpOnly: true,
-      sameSite: 'lax'
-    })
+    reply.setCookie('oauth2-redirect-state', state, cookieOpts)
 
     const urlOptions = Object.assign({}, generateCallbackUriParams(callbackUriParams, request, scope, state), {
       redirect_uri: callbackUri,

test/index.test.js

@@ -602,6 +602,28 @@ t.test('options.schema should be a object', t => {
     })
 })
 
+t.test('options.cookie should be an object', t => {
+  t.plan(1)
+
+  const fastify = createFastify({ logger: { level: 'silent' } })
+
+  fastify.register(fastifyOauth2, {
+    name: 'the-name',
+    credentials: {
+      client: {
+        id: 'my-client-id',
+        secret: 'my-secret'
+      },
+      auth: fastifyOauth2.GITHUB_CONFIGURATION
+    },
+    callbackUri: '/callback',
+    cookie: 1
+  })
+    .ready(err => {
+      t.strictSame(err.message, 'options.cookie should be an object')
+    })
+})
+
 t.test('options.schema', t => {
   const fastify = createFastify({ logger: { level: 'silent' }, exposeHeadRoutes: false })
 

types/index.d.ts

@@ -1,4 +1,5 @@
 import { FastifyPluginCallback, FastifyReply, FastifyRequest } from 'fastify';
+import { CookieSerializeOptions } from "@fastify/cookie";
 
 interface FastifyOauth2 extends FastifyPluginCallback<fastifyOauth2.FastifyOAuth2Options> {
   APPLE_CONFIGURATION: fastifyOauth2.ProviderConfiguration;
@@ -30,6 +31,7 @@ declare namespace fastifyOauth2 {
     startRedirectPath?: string;
     tags?: string[];
     schema?: object;
+    cookie?: CookieSerializeOptions;
   }
 
   export interface Token {

types/index.test-d.ts

@@ -31,6 +31,10 @@ const OAuth2Options: FastifyOAuth2Options = {
   generateStateFunction: () => {},
   checkStateFunction: () => {},
   startRedirectPath: '/login/testOauth',
+  cookie: {
+    secure: true,
+    sameSite: 'none'
+  }
 };
 
 const server = fastify();