Ryan/documenso
1
0
Fork 1
mirror of https://github.com/documenso/documenso.git synced 2025-11-12 15:53:02 +10:00
Code Issues Packages Projects Releases Wiki Activity

fix: auth cookies across iframes (#1501)

Browse Source
This commit is contained in:
Lucas Smith
2024-12-03 15:28:30 +11:00
committed by GitHub
parent bdd33bd335
commit 2aae7435f8
3 changed files with 56 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
apps/web/src/app/embed/sign/[[...url]]/page.tsx
View File

@ -80,7 +80,7 @@ export default async function EmbedSignDocumentPage({ params }: EmbedSignDocumen
return ( return (
<EmbedAuthenticateView <EmbedAuthenticateView
email={user?.email || recipient.email} email={user?.email || recipient.email}
returnTo={`/embed/direct/${token}`} returnTo={`/embed/sign/${token}`}
/> />
); );
} }

7
apps/web/src/middleware.ts
View File

@ -78,13 +78,14 @@ async function middleware(req: NextRequest): Promise<NextResponse> {
if (req.nextUrl.pathname.startsWith('/embed')) { if (req.nextUrl.pathname.startsWith('/embed')) {
const res = NextResponse.next(); const res = NextResponse.next();
const origin = req.headers.get('Origin') ?? '*';
// Allow third parties to iframe the document. // Allow third parties to iframe the document.
res.headers.set('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS'); res.headers.set('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS');
res.headers.set('Access-Control-Allow-Origin', '*'); res.headers.set('Access-Control-Allow-Origin', origin);
res.headers.set('Content-Security-Policy', 'frame-ancestors *'); res.headers.set('Content-Security-Policy', `frame-ancestors ${origin}`);
res.headers.set('Referrer-Policy', 'strict-origin-when-cross-origin'); res.headers.set('Referrer-Policy', 'strict-origin-when-cross-origin');
res.headers.set('X-Content-Type-Options', 'nosniff'); res.headers.set('X-Content-Type-Options', 'nosniff');
res.headers.set('X-Frame-Options', 'ALLOW-ALL');
return res; return res;
} }

51
packages/lib/next-auth/auth-options.ts
View File

@ -26,6 +26,9 @@ import { extractNextAuthRequestMetadata } from '../universal/extract-request-met
import { getAuthenticatorOptions } from '../utils/authenticator'; import { getAuthenticatorOptions } from '../utils/authenticator';
import { ErrorCode } from './error-codes'; import { ErrorCode } from './error-codes';
const useSecureCookies = process.env.NODE_ENV === 'production';
const cookiePrefix = useSecureCookies ? '__Secure-' : '';
export const NEXT_AUTH_OPTIONS: AuthOptions = { export const NEXT_AUTH_OPTIONS: AuthOptions = {
adapter: PrismaAdapter(prisma), adapter: PrismaAdapter(prisma),
secret: process.env.NEXTAUTH_SECRET ?? 'secret', secret: process.env.NEXTAUTH_SECRET ?? 'secret',
@ -431,5 +434,53 @@ export const NEXT_AUTH_OPTIONS: AuthOptions = {
return true; return true;
}, },
}, },
cookies: {
sessionToken: {
name: `${cookiePrefix}next-auth.session-token`,
options: {
httpOnly: true,
sameSite: 'none',
path: '/',
secure: useSecureCookies,
},
},
callbackUrl: {
name: `${cookiePrefix}next-auth.callback-url`,
options: {
sameSite: 'none',
path: '/',
secure: useSecureCookies,
},
},
csrfToken: {
// Default to __Host- for CSRF token for additional protection if using useSecureCookies
// NB: The `__Host-` prefix is stricter than the `__Secure-` prefix.
name: `${cookiePrefix}next-auth.csrf-token`,
options: {
httpOnly: true,
sameSite: 'none',
path: '/',
secure: useSecureCookies,
},
},
pkceCodeVerifier: {
name: `${cookiePrefix}next-auth.pkce.code_verifier`,
options: {
httpOnly: true,
sameSite: 'none',
path: '/',
secure: useSecureCookies,
},
},
state: {
name: `${cookiePrefix}next-auth.state`,
options: {
httpOnly: true,
sameSite: 'none',
path: '/',
secure: useSecureCookies,
},
},
},
// Note: `events` are handled in `apps/web/src/pages/api/auth/[...nextauth].ts` to allow access to the request. // Note: `events` are handled in `apps/web/src/pages/api/auth/[...nextauth].ts` to allow access to the request.
}; };