New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add webauth & magic links to sveltekit #973
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great! A couple of small things once you rebase this on the latest master
.
24a91bf
to
06d1773
Compare
Use 307 status in redirects
cookies: Cookies, | ||
value: string, | ||
config: AuthConfig, | ||
isAuth = false |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think I prefer two separate functions here than a boolean with a default value. If you want to share the base configuration object between both functions, that's fine! Something like:
const BASE_COOKIE_CONFIG = {
httpOnly: true,
sameSite: "lax",
path: "/",
};
then in the functions:
function setVerifierCookie(cookies: Cookies, config: AuthConfig, value: string): void {
const expires = new Date(Date.now() + 1000 * 60 * 24 * 7); // in 7 days
cookies.set(config.pkceVerifierCookieName, value, {
...BASE_COOKIE_CONFIG,
expires,
secure: config.baseUrl.startsWith("https"),
});
}
Then in the class you can:
private setVerifierCookie(verifier: string) {
setVerifierCookie(this.cookies, this.config, verifier);
}
The advantage here is that you can look at the call site and know which cookie it's setting without knowing if the optional true
means verifier or auth token, etc.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, I agree with all of these, will update : )
Use separate functions for verifier and auth token.
private setVerifierCookie(verifier: string) { | ||
const expires = new Date(Date.now() + 1000 * 60 * 24 * 7); // In 7 days | ||
this.cookies.set(this.config.pkceVerifierCookieName, verifier, { | ||
httpOnly: true, | ||
sameSite: "lax", | ||
path: "/", | ||
expires, | ||
secure: this.isSecure, | ||
}); | ||
} | ||
|
||
private setAuthCookie(authToken: string) { | ||
const expires = Auth.getTokenExpiration(authToken); | ||
this.cookies.set(this.config.authCookieName, authToken, { | ||
httpOnly: true, | ||
sameSite: "lax", | ||
path: "/", | ||
expires: expires ?? undefined, | ||
secure: this.isSecure, | ||
}); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not a blocker, but the change here would be smaller and easier to follow for future endpoints if we kept these class methods and just had them call the new function, so that other methods could continue to just call this.setAuthCookie(tokenData.auth_token)
, etc.
private setVerifierCookie(verifier: string) {
setVerifierCookie(this.cookies, this.config, verifier);
}
private setAuthCookie(authToken: string) {
setAuthCookie(this.cookies, this.config, authToken);
}
And for bonus points doing a similar thing for the delete cookie functionality:
private deleteVerifierCookie() {
deleteCookie(this.cookies, this.config.pkceVerifierCookieName);
}
private deleteAuthCookie() {
deleteCookie(this.cookies, this.config.authCookieName);
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hmm yes, this is even more cleaner (for cookies inside class methods), will update : )
but still we have to use functions for cookies outside the class
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🏆
I tested this with example sveltekit and it works.
I retested and it works, but not sure is the setCookie function definition the best, especially the params it needs, doesn't look very pretty.