Open mdodell opened 2 years ago
Hey @mdodell ! Check out this doc about SameSite=None
. It looks like your current config will result in the cookie being blocked.
Hey @theblang - I tested this with a Heroku app as well, with the following config:
config.cookie_enabled = true
config.cookie_name = "testing-dta"
config.cookie_attributes = {
http_only: true,
secure: true,
same_site: "None"
}
You can test it locally for yourself here: https://github.com/mdodell/devise-token-auth.
Here is it running in Postman: https://www.postman.com/winter-star-976257/workspace/devise-token-auth-cookie-issue/overview.
I'll leave that Heroku app running for now so you can also play with it yourself.
As you can see, the response header for the validate-token
route is as follows:
[{"key":"Set-Cookie","value":"testing-dta=myrAWLEsUDXd24MTWQpGe4OznN62sWsqiWu0cF9qcghaBPhxVVgC4Q4Luvrbg0TbE996lY6cxoSlkqm%2F5n6gprjqjekEAdl5a1wz%2FkjZyy1wFaNpjuVXErf1YICHa7d4Y%2BYZftdz2rHnoJEvMfeZZYbEjcAn%2BAYNa9MuCfUuYPiIipl%2B1If6c3YxHn9vUVFv0YLuaTob9m0PMb49diKY7saDS03IG2RT3VgelzYMKxEx7zIZB5yXbPsPuiWJP4EydpOnlP%2BFksgt4e36XmEAAwWkHg%3D%3D--OqIZoXHw3CkWjdEb--bUxopeO9VFnUF8Plu0S2Og%3D%3D; path=/; HttpOnly; SameSite=Lax"}]
SameSite
is set to "Lax"
and there is no Secure
- even though they are configured in they are configured to be SameSite
"None"
and "Secure"
as true
in the config here.
TL;DR: The validate_token
route is ignoring/not using the configuration for the cookies.
Context
When we call the
validate_token
endpoint using Cookies, it overrides the cookie which contains important information like the access token, etc. I can't tell if it is either encrypting the token (when it was not encrypted upon signing up/logging in, or not.I have created a minimum-replication Rails app, which can be found here. I have also showcased this issue in Postman, with example endpoints to run, as well as examples of what their responses are.
The main issue is when calling this endpoint with a cookie gained from signing or logging in, the cookie is then set to a new cookie, and encrypted/scrambled.
Template Information
I have examples saved on this public Postman workspace.
I am using Cookies, so I have done the following. Secure will be set to true in a PROD environment, but it is needed as false in order to showcase this on Postman.
Gems: are you using MongoDB, Grape, RailsApi, ActiveAdmin, etc.?
Custom Overrides: what have you done in terms of custom controller overrides?
Custom Frontend: are you using ng-token-auth, jToker, Angular2-Token, or something else?