search

aws-amplify / amplify-js

A declarative JavaScript library for application development using cloud services.
https://docs.amplify.aws/lib/q/platform/js
Apache License 2.0
9.44k stars 2.13k forks source link

Could you document the server-side cookie behavior of `@aws-amplify/adapter-nextjs`? #14026

Open k1350 opened 1 day ago

k1350 commented 1 day ago

Is this related to a new or existing framework?

Next.js

Is this related to a new or existing API?

Authentication

Is this related to another service?

No response

Describe the feature you'd like to request

When using @aws-amplify/adapter-nextjs, it is noted in the comment below that cookies set on the server-side will have a default value. https://github.com/aws-amplify/amplify-js/issues/12866#issuecomment-1909220118

In practice, when fetchAuthSession is executed within Next.js Server Actions and a token refresh occurs, cookies are set.

I think this behavior does not appear to be documented. However, it is significant because it can cause issues in scenarios where CookieStorage is configured as shown below:

'use client';

import { Amplify } from 'aws-amplify';
import { cognitoUserPoolsTokenProvider } from 'aws-amplify/auth/cognito';
import { CookieStorage } from 'aws-amplify/utils';
import { amplifyConfig } from '..';

Amplify.configure(amplifyConfig, { ssr: true });

cognitoUserPoolsTokenProvider.setKeyValueStorage(
  new CookieStorage({
    domain: "example.com",
    secure: true,
    path: '/',
    sameSite: 'lax',
    expires: 30,
  }),
);

export function ConfigureAmplifyClientSide() {
  return null;
}

If you configure CookieStorage as above, cookies with a mismatched domain field, set on the server-side, will not be deleted when performing a signout on the client-side. As a result, stale cookies eventually trigger repeated tokenRefresh_failure events, leaving users unable to log in.

I have commented on the following issue to provide more details about this behavior: https://github.com/aws-amplify/amplify-js/issues/13940#issuecomment-2487877357

This behavior—where cookies set on the server-side have default values—cannot be overlooked. I would like this behavior of @aws-amplify/adapter-nextjs to be documented explicitly.

Describe the solution you'd like

I would like this behavior of @aws-amplify/adapter-nextjs to be documented explicitly.

Describe alternatives you've considered

None

Additional context

No response

Is this something that you'd be interested in working on?

HuiSF commented 1 day ago

Thanks for the suggestion. @k1350 Currently, the documentation points out that the auth tokens may be sent back to the client from the server when calling the server-side fetchAuthSession(), but it doesn't clarify that the cookie attributes cannot be customized on the server-side given the current state. I will look into updating the documentation.

In addition, we have a plan to enable cookie attribute customization for the Next.js adapter on the server side in the near future, please stay tuned. :)