From 8b9dac016fc6d4f6fa9755558cd17c30a1774899 Mon Sep 17 00:00:00 2001 From: nokazn Date: Wed, 10 Feb 2021 22:57:24 +0900 Subject: [PATCH 1/3] set sameSite attributes to none --- instagram-auth/functions/index.js | 1 + linkedin-auth/functions/index.js | 1 + spotify-auth/functions/index.js | 2 +- 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/instagram-auth/functions/index.js b/instagram-auth/functions/index.js index 5e5e72f230..68259cedaf 100644 --- a/instagram-auth/functions/index.js +++ b/instagram-auth/functions/index.js @@ -64,6 +64,7 @@ exports.redirect = functions.https.onRequest((req, res) => { maxAge: 3600000, secure: true, httpOnly: true, + sameSite: 'none', }); const redirectUri = oauth2.authorizationCode.authorizeURL({ redirect_uri: OAUTH_REDIRECT_URI, diff --git a/linkedin-auth/functions/index.js b/linkedin-auth/functions/index.js index 20b44ac27c..da14332cb3 100644 --- a/linkedin-auth/functions/index.js +++ b/linkedin-auth/functions/index.js @@ -56,6 +56,7 @@ exports.redirect = functions.https.onRequest((req, res) => { maxAge: 3600000, secure: true, httpOnly: true, + sameSite: 'none', }); Linkedin.auth.authorize(res, OAUTH_SCOPES, state.toString()); }); diff --git a/spotify-auth/functions/index.js b/spotify-auth/functions/index.js index a2c9fd1d03..8c3b2be700 100644 --- a/spotify-auth/functions/index.js +++ b/spotify-auth/functions/index.js @@ -48,7 +48,7 @@ exports.redirect = functions.https.onRequest((req, res) => { cookieParser()(req, res, () => { const state = req.cookies.state || crypto.randomBytes(20).toString('hex'); console.log('Setting verification state:', state); - res.cookie('state', state.toString(), {maxAge: 3600000, secure: true, httpOnly: true}); + res.cookie('state', state.toString(), {maxAge: 3600000, secure: true, httpOnly: true, sameSite: 'none'}); const authorizeURL = Spotify.createAuthorizeURL(OAUTH_SCOPES, state.toString()); res.redirect(authorizeURL); }); From 123bd2f536aa994e386469513668c6b7bd8738ed Mon Sep 17 00:00:00 2001 From: nokazn Date: Tue, 27 Apr 2021 02:22:27 +0900 Subject: [PATCH 2/3] Revert "set sameSite attributes to none" This reverts commit 8b9dac016fc6d4f6fa9755558cd17c30a1774899. --- instagram-auth/functions/index.js | 1 - linkedin-auth/functions/index.js | 1 - spotify-auth/functions/index.js | 2 +- 3 files changed, 1 insertion(+), 3 deletions(-) diff --git a/instagram-auth/functions/index.js b/instagram-auth/functions/index.js index 68259cedaf..5e5e72f230 100644 --- a/instagram-auth/functions/index.js +++ b/instagram-auth/functions/index.js @@ -64,7 +64,6 @@ exports.redirect = functions.https.onRequest((req, res) => { maxAge: 3600000, secure: true, httpOnly: true, - sameSite: 'none', }); const redirectUri = oauth2.authorizationCode.authorizeURL({ redirect_uri: OAUTH_REDIRECT_URI, diff --git a/linkedin-auth/functions/index.js b/linkedin-auth/functions/index.js index da14332cb3..20b44ac27c 100644 --- a/linkedin-auth/functions/index.js +++ b/linkedin-auth/functions/index.js @@ -56,7 +56,6 @@ exports.redirect = functions.https.onRequest((req, res) => { maxAge: 3600000, secure: true, httpOnly: true, - sameSite: 'none', }); Linkedin.auth.authorize(res, OAUTH_SCOPES, state.toString()); }); diff --git a/spotify-auth/functions/index.js b/spotify-auth/functions/index.js index 8c3b2be700..a2c9fd1d03 100644 --- a/spotify-auth/functions/index.js +++ b/spotify-auth/functions/index.js @@ -48,7 +48,7 @@ exports.redirect = functions.https.onRequest((req, res) => { cookieParser()(req, res, () => { const state = req.cookies.state || crypto.randomBytes(20).toString('hex'); console.log('Setting verification state:', state); - res.cookie('state', state.toString(), {maxAge: 3600000, secure: true, httpOnly: true, sameSite: 'none'}); + res.cookie('state', state.toString(), {maxAge: 3600000, secure: true, httpOnly: true}); const authorizeURL = Spotify.createAuthorizeURL(OAUTH_SCOPES, state.toString()); res.redirect(authorizeURL); }); From ea38673a2c6cd5aaa75547a2fa2055221febaa5e Mon Sep 17 00:00:00 2001 From: nokazn Date: Tue, 27 Apr 2021 02:56:23 +0900 Subject: [PATCH 3/3] fix: use the same domain cookie in __session --- spotify-auth/firebase.json | 12 +++++++++++- spotify-auth/functions/index.js | 14 +++++++------- spotify-auth/public/popup.html | 4 ++-- 3 files changed, 20 insertions(+), 10 deletions(-) diff --git a/spotify-auth/firebase.json b/spotify-auth/firebase.json index e7c9fc271b..a46b34b8a7 100644 --- a/spotify-auth/firebase.json +++ b/spotify-auth/firebase.json @@ -3,6 +3,16 @@ "rules": "database.rules.json" }, "hosting": { - "public": "public" + "public": "public", + "rewrites": [ + { + "source": "/redirect", + "function": "redirect" + }, + { + "source": "/token", + "function": "token" + } + ] } } diff --git a/spotify-auth/functions/index.js b/spotify-auth/functions/index.js index a2c9fd1d03..0df38d467f 100644 --- a/spotify-auth/functions/index.js +++ b/spotify-auth/functions/index.js @@ -41,14 +41,14 @@ const Spotify = new SpotifyWebApi({ const OAUTH_SCOPES = ['user-read-email']; /** - * Redirects the User to the Spotify authentication consent screen. Also the 'state' cookie is set for later state + * Redirects the User to the Spotify authentication consent screen. Also the '__session' cookie is set for later state * verification. */ exports.redirect = functions.https.onRequest((req, res) => { cookieParser()(req, res, () => { - const state = req.cookies.state || crypto.randomBytes(20).toString('hex'); + const state = req.cookies.__session || crypto.randomBytes(20).toString('hex'); console.log('Setting verification state:', state); - res.cookie('state', state.toString(), {maxAge: 3600000, secure: true, httpOnly: true}); + res.cookie('__session', state.toString(), {maxAge: 3600000, secure: true, httpOnly: true}); const authorizeURL = Spotify.createAuthorizeURL(OAUTH_SCOPES, state.toString()); res.redirect(authorizeURL); }); @@ -56,18 +56,18 @@ exports.redirect = functions.https.onRequest((req, res) => { /** * Exchanges a given Spotify auth code passed in the 'code' URL query parameter for a Firebase auth token. - * The request also needs to specify a 'state' query parameter which will be checked against the 'state' cookie. + * The request also needs to specify a 'state' query parameter which will be checked against the '__session' cookie. * The Firebase custom auth token is sent back in a JSONP callback function with function name defined by the * 'callback' query parameter. */ exports.token = functions.https.onRequest((req, res) => { try { cookieParser()(req, res, () => { - console.log('Received verification state:', req.cookies.state); + console.log('Received verification state:', req.cookies.__session); console.log('Received state:', req.query.state); - if (!req.cookies.state) { + if (!req.cookies.__session) { throw new Error('State cookie not set or expired. Maybe you took too long to authorize. Please try again.'); - } else if (req.cookies.state !== req.query.state) { + } else if (req.cookies.__session !== req.query.state) { throw new Error('State validation failed'); } console.log('Received auth code:', req.query.code); diff --git a/spotify-auth/public/popup.html b/spotify-auth/public/popup.html index 209b90294e..93d951f306 100644 --- a/spotify-auth/public/popup.html +++ b/spotify-auth/public/popup.html @@ -65,14 +65,14 @@ document.body.innerText = 'Error back from the Spotify auth page: ' + error; } else if(!code) { // Start the auth flow. - window.location.href = 'https://us-central1-' + getFirebaseProjectId() + '.cloudfunctions.net/redirect'; + window.location.href = '/redirect'; } else { // Use JSONP to load the 'token' Firebase Function to exchange the auth code against a Firebase custom token. const script = document.createElement('script'); script.type = 'text/javascript'; // This is the URL to the HTTP triggered 'token' Firebase Function. // See https://firebase.google.com/docs/functions. - var tokenFunctionURL = 'https://us-central1-' + getFirebaseProjectId() + '.cloudfunctions.net/token'; + var tokenFunctionURL = '/token'; script.src = tokenFunctionURL + '?code=' + encodeURIComponent(code) + '&state=' + encodeURIComponent(state) +