search

adonisjs / auth

Official Authentication package for AdonisJS
https://docs.adonisjs.com/guides/auth/introduction
MIT License
187 stars 65 forks source link

adonis-session not saved on redirect #214

Closed TheoA816 closed 1 year ago

TheoA816 commented 1 year ago

I am using google oauth and auth web guard for my login. Below is the end of my login function, after checking the google login.

await auth.use('web').login(user); return response.redirect(${Env.get('FRONTEND_DOMAIN')});

In localhost everything works fine, auth user gets initialised and on subsequent route calls the user is still logged in. However after deploying (using render.com), I find auth.user is intialised is saved before the return above. But after redirecting to the frontend, subsequent backend calls show that auth is not initialised. I changed nothing besides the localhost -> production links

The biggest difference I see is in localhost, the adonis-session cookie is passed along with the request Screen Shot 2023-04-30 at 02 03 48 but not in production Screen Shot 2023-04-30 at 02 07 23

i've tried changing config/session.ts (sameSite: false, explicit domain name etc) but nothing works

  cookie: {
    domain: '.onrender.com',
    path: '/',
    httpOnly: true,
    secure: true,
    sameSite: 'none',
  },

I assume the problem has to do with some cookie and domain name related issue but I'm clueless and have gone a whole day on this with no avail. Any help is appreciated

Just for some extra info my login flow is

and my google config is as

const allyConfig: AllyConfig = {
    /*
    |--------------------------------------------------------------------------
    | Google driver
    |--------------------------------------------------------------------------
    */
    google: {
        driver: 'google',
        clientId: Env.get('GOOGLE_CLIENT_ID'),
        clientSecret: Env.get('GOOGLE_CLIENT_SECRET'),
        callbackUrl: `${BACKEND_DOMAIN}/google-callback`,
    },
}
RomainLanz commented 1 year ago

Hey @TheoA816! 👋🏻

Cookies are not cross-domain. Your frontend and backend must be on the same (sub-)domain to work.

Also, you must use SameSite with LAX.

And lastly, I am not sure about the onrender.com cookie policy, but maybe you will have more chances with a custom domain.

TheoA816 commented 1 year ago

Had to do with my FE and BE not being on the same domain. Accessed the backend through a proxy and everything worked fine. Thanks for the comment!