In Auth Medusa Cookie Not Set in Medusa Storefront in ProdOrStaging ENV Using Any Third Party Login

[zeelrupapara]

Configuration Details:

Environment Variables:

STORE_URL="web.example.com"
BACKEND_URL="api.example.com"
NODE_ENV="production"

Medusa Backend Configuration for Google Auth:

{
  resolve: "medusa-plugin-auth",
  /** @type {import('medusa-plugin-auth').AuthOptions} */
  options: [
    {
      type: "google",
      identifier: "google",
      clientID: process.env.GOOGLE_CLIENT_ID,
      clientSecret: process.env.GOOGLE_CLIENT_SECRET,
      store: {
        callbackUrl: `${BACKEND_URL}/store/auth/google/cb`,
        failureRedirect: `${STORE_URL}/account`,
        successRedirect: `${STORE_URL}/`
      }
    },
  ]
}

Problem

When signing in with Google on web.example.com, the authentication is successful. However, the cookie is not set or sent back to the Medusa backend on subsequent requests. As a result, the customer authenticated API calls from the frontend fail.

[zeelrupapara]

@adrien2p It's happening only when the front (storefront) and backend are assigned different domains or subdomain

[adrien2p]

Indeed cookies are pretty strict nowadays, I am not sure I have an immediate solution for that as it touches security, but are you sure subdomains are affected ? What is your domain? Is it part of the public suffix list or not?

[zeelrupapara]

@adrien2p I have a solution what if we can set only TLD (top-level domain) in a cookie as the domain then it becomes a wildcard entry and we can set the cookie in any of sub domain that is referred to TLD domain

[zeelrupapara]

Indeed cookies are pretty strict nowadays, I am not sure I have an immediate solution for that as it touches security, but are you sure subdomains are affected? What is your domain? Is it part of the public suffix list or not?

Yes I checked it @adrien2p, in the browser cookie shows some warning that This attempt to set a cookie via a Set-Cookie header was blocked because its Domain attribute was invalid regarding the current host URL.

Sorry, but I won't reveal my domain but I give you a hint like

STORE_URL=store.example.com
BACKEND_URL=medusa.example.com

[adrien2p]

The cookie used in the auth plugin has a domain set with the value of the referrer. So in theory it should be accessible from the sub domain. On the other hand i dont think medusa specify a domain, which might make it only available to the domain itself. Let le know your thinking on it

[zeelrupapara]

@adrien2p check the extractDomain functions test cases https://github.com/adrien2p/medusa-plugins/blob/main/packages/medusa-plugin-auth/src/core/passport/utils/__tests__/auth-route-builder.spec.ts#L13 and add below testcases then you will understand that the regex for get domain is only working with www not with other sundomain

url = 'http://sub.google.com';
domain = extractDomain(url);
expect(domain).toBe('google.com');

Solution: https://github.com/adrien2p/medusa-plugins/pull/166

[adrien2p]

My bad, yes you are right, sorry i missed the pr and i was sure i did it that way 😅

[adrien2p]

I ve just merged and released a new version 👍 thanks for your contribution, it is very much appreciated