fix: auth cookies across iframes (#1501)

2025-11-12 15:53:02 +10:00 · 2024-12-03 15:28:30 +11:00
parent bdd33bd335
commit 2aae7435f8
3 changed files with 56 additions and 4 deletions
--- a/apps/web/src/app/embed/sign/[[...url]]/page.tsx
+++ b/apps/web/src/app/embed/sign/[[...url]]/page.tsx
@ -80,7 +80,7 @@ export default async function EmbedSignDocumentPage({ params }: EmbedSignDocumen
    return (
      <EmbedAuthenticateView
        email={user?.email || recipient.email}
-        returnTo={`/embed/direct/${token}`}
+        returnTo={`/embed/sign/${token}`}
      />
    );
  }
--- a/apps/web/src/middleware.ts
+++ b/apps/web/src/middleware.ts
@ -78,13 +78,14 @@ async function middleware(req: NextRequest): Promise<NextResponse> {
  if (req.nextUrl.pathname.startsWith('/embed')) {
    const res = NextResponse.next();

+    const origin = req.headers.get('Origin') ?? '*';
+
    // Allow third parties to iframe the document.
    res.headers.set('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS');
-    res.headers.set('Access-Control-Allow-Origin', '*');
-    res.headers.set('Content-Security-Policy', 'frame-ancestors *');
+    res.headers.set('Access-Control-Allow-Origin', origin);
+    res.headers.set('Content-Security-Policy', `frame-ancestors ${origin}`);
    res.headers.set('Referrer-Policy', 'strict-origin-when-cross-origin');
    res.headers.set('X-Content-Type-Options', 'nosniff');
-    res.headers.set('X-Frame-Options', 'ALLOW-ALL');

    return res;
  }
--- a/packages/lib/next-auth/auth-options.ts
+++ b/packages/lib/next-auth/auth-options.ts
@ -26,6 +26,9 @@ import { extractNextAuthRequestMetadata } from '../universal/extract-request-met
 import { getAuthenticatorOptions } from '../utils/authenticator';
 import { ErrorCode } from './error-codes';

+const useSecureCookies = process.env.NODE_ENV === 'production';
+const cookiePrefix = useSecureCookies ? '__Secure-' : '';
+
 export const NEXT_AUTH_OPTIONS: AuthOptions = {
  adapter: PrismaAdapter(prisma),
  secret: process.env.NEXTAUTH_SECRET ?? 'secret',
@ -431,5 +434,53 @@ export const NEXT_AUTH_OPTIONS: AuthOptions = {
      return true;
    },
  },
+  cookies: {
+    sessionToken: {
+      name: `${cookiePrefix}next-auth.session-token`,
+      options: {
+        httpOnly: true,
+        sameSite: 'none',
+        path: '/',
+        secure: useSecureCookies,
+      },
+    },
+    callbackUrl: {
+      name: `${cookiePrefix}next-auth.callback-url`,
+      options: {
+        sameSite: 'none',
+        path: '/',
+        secure: useSecureCookies,
+      },
+    },
+    csrfToken: {
+      // Default to __Host- for CSRF token for additional protection if using useSecureCookies
+      // NB: The `__Host-` prefix is stricter than the `__Secure-` prefix.
+      name: `${cookiePrefix}next-auth.csrf-token`,
+      options: {
+        httpOnly: true,
+        sameSite: 'none',
+        path: '/',
+        secure: useSecureCookies,
+      },
+    },
+    pkceCodeVerifier: {
+      name: `${cookiePrefix}next-auth.pkce.code_verifier`,
+      options: {
+        httpOnly: true,
+        sameSite: 'none',
+        path: '/',
+        secure: useSecureCookies,
+      },
+    },
+    state: {
+      name: `${cookiePrefix}next-auth.state`,
+      options: {
+        httpOnly: true,
+        sameSite: 'none',
+        path: '/',
+        secure: useSecureCookies,
+      },
+    },
+  },
  // Note: `events` are handled in `apps/web/src/pages/api/auth/[...nextauth].ts` to allow access to the request.
 };