fix: fixed cookie samesite validation (#335)

sattvikc · web-flow · commit f180063b672c · 2022-06-22T12:04:51.000+05:30
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Changes
 
+-   Fixes Cookie sameSite config validation.
 -   Fixes a few typos
 -   Changes `getEmailForUserIdForEmailVerification` function inside thirdpartypasswordless to take into account passwordless emails and return an empty string in case a passwordless email doesn't exist. This helps situations where the dev wants to customise the email verification functions in the thirdpartypasswordless recipe.
 
diff --git a/lib/build/recipe/session/utils.js b/lib/build/recipe/session/utils.js
@@ -180,9 +180,13 @@ function validateAndNormaliseUserInput(recipeInstance, appInfo, config) {
     if (
         cookieSameSite === "none" &&
         !cookieSecure &&
-        !(topLevelAPIDomain === "localhost" || utils_1.isAnIpAddress(topLevelAPIDomain)) &&
-        !(topLevelWebsiteDomain === "localhost" || utils_1.isAnIpAddress(topLevelWebsiteDomain))
+        !(
+            (topLevelAPIDomain === "localhost" || utils_1.isAnIpAddress(topLevelAPIDomain)) &&
+            (topLevelWebsiteDomain === "localhost" || utils_1.isAnIpAddress(topLevelWebsiteDomain))
+        )
     ) {
+        // We can allow insecure cookie when both website & API domain are localhost or an IP
+        // When either of them is a different domain, API domain needs to have https and a secure cookie to work
         throw new Error(
             "Since your API and website domain are different, for sessions to work, please use https on your apiDomain and dont set cookieSecure to false."
         );
diff --git a/lib/ts/recipe/session/utils.ts b/lib/ts/recipe/session/utils.ts
@@ -194,9 +194,13 @@ export function validateAndNormaliseUserInput(
     if (
         cookieSameSite === "none" &&
         !cookieSecure &&
-        !(topLevelAPIDomain === "localhost" || isAnIpAddress(topLevelAPIDomain)) &&
-        !(topLevelWebsiteDomain === "localhost" || isAnIpAddress(topLevelWebsiteDomain))
+        !(
+            (topLevelAPIDomain === "localhost" || isAnIpAddress(topLevelAPIDomain)) &&
+            (topLevelWebsiteDomain === "localhost" || isAnIpAddress(topLevelWebsiteDomain))
+        )
     ) {
+        // We can allow insecure cookie when both website & API domain are localhost or an IP
+        // When either of them is a different domain, API domain needs to have https and a secure cookie to work
         throw new Error(
             "Since your API and website domain are different, for sessions to work, please use https on your apiDomain and dont set cookieSecure to false."
         );
diff --git a/test/config.test.js b/test/config.test.js
@@ -478,6 +478,78 @@ describe(`configTest: ${printPath("[test/config.test.js]")}`, function () {
         }
     });
 
+    it("sameSite none invalid domain values", async function () {
+        const domainCombinations = [
+            ["http://localhost:3000", "http://supertokensapi.io"],
+            ["http://127.0.0.1:3000", "http://supertokensapi.io"],
+            ["http://supertokens.io", "http://localhost:8000"],
+            ["http://supertokens.io", "http://127.0.0.1:8000"],
+            ["http://supertokens.io", "http://supertokensapi.io"],
+        ];
+
+        for (const domainCombination of domainCombinations) {
+            try {
+                STExpress.init({
+                    supertokens: {
+                        connectionURI: "http://localhost:8080",
+                    },
+                    appInfo: {
+                        appName: "SuperTokens",
+                        websiteDomain: domainCombination[0],
+                        apiDomain: domainCombination[1],
+                    },
+                    recipeList: [Session.init({ cookieSameSite: "none" })],
+                });
+                assert(false);
+            } catch (e) {
+                assert(
+                    e.message ===
+                        "Since your API and website domain are different, for sessions to work, please use https on your apiDomain and dont set cookieSecure to false."
+                );
+            }
+            resetAll();
+        }
+    });
+
+    it("sameSite none valid domain values", async function () {
+        const domainCombinations = [
+            ["http://localhost:3000", "http://localhost:8000"],
+            ["http://127.0.0.1:3000", "http://localhost:8000"],
+            ["http://localhost:3000", "http://127.0.0.1:8000"],
+            ["http://127.0.0.1:3000", "http://127.0.0.1:8000"],
+
+            ["https://localhost:3000", "https://localhost:8000"],
+            ["https://127.0.0.1:3000", "https://localhost:8000"],
+            ["https://localhost:3000", "https://127.0.0.1:8000"],
+            ["https://127.0.0.1:3000", "https://127.0.0.1:8000"],
+
+            ["https://supertokens.io", "https://api.supertokens.io"],
+            ["https://supertokens.io", "https://supertokensapi.io"],
+
+            ["http://localhost:3000", "https://supertokensapi.io"],
+            ["http://127.0.0.1:3000", "https://supertokensapi.io"],
+        ];
+
+        for (const domainCombination of domainCombinations) {
+            try {
+                STExpress.init({
+                    supertokens: {
+                        connectionURI: "http://localhost:8080",
+                    },
+                    appInfo: {
+                        appName: "SuperTokens",
+                        websiteDomain: domainCombination[0],
+                        apiDomain: domainCombination[1],
+                    },
+                    recipeList: [Session.init({ cookieSameSite: "none" })],
+                });
+            } catch (e) {
+                assert(false);
+            }
+            resetAll();
+        }
+    });
+
     it("testing sessionScope normalisation", async function () {
         assert(normaliseSessionScopeOrThrowError("api.example.com") === "api.example.com");
         assert(normaliseSessionScopeOrThrowError("http://api.example.com") === "api.example.com");
@@ -978,7 +1050,7 @@ describe(`configTest: ${printPath("[test/config.test.js]")}`, function () {
                     connectionURI: "http://localhost:8080",
                 },
                 appInfo: {
-                    apiDomain: "127.0.0.1:3000",
+                    apiDomain: "https://127.0.0.1:3000",
                     appName: "SuperTokens",
                     websiteDomain: "google.com",
                     apiBasePath: "test/",
