search

nhost / hasura-backend-plus

🔑Auth and 📦Storage for Hasura. The quickest way to get Auth and Storage working for your next app based on Hasura.
https://nhost.github.io/hasura-backend-plus/
MIT License
1.17k stars 187 forks source link

Insecure Http cookies don't work on Chrome #656

Open joshmedeski opened 3 years ago

joshmedeski commented 3 years ago

Describe the bug

  1. If COOKIE_SECURE="true" on localhost development, I can not test on Safari
  2. If COOKIE_SECURE="false" on localhost development, I can not test on Chrome

To Reproduce Steps to reproduce the behavior:

  1. Log in to the application
  2. Reload the browser to trigger refresh logic
  3. User won't be logged back in (http cookie doesn't exist)

Expected behavior I expect to be able to test functionality across multiple browsers on local development.

Screenshots Screen Shot 2021-10-05 at 11 32 08 AM

Desktop (please complete the following information):

Comments I'm guessing there's some security setting on one of the browsers that needs to be changed so I can test http-only cookies across multiple browsers.

elitan commented 3 years ago

This is most likely due to browsers blocking third party cookies. You can confirm that it's the case if you enable third-party cookies: https://support.cloudhq.net/how-to-enable-3rd-party-cookies-in-google-chrome-browser/

I'd recommend saving the refresh token in localStorage instead. Use cookie: false when register and logging in to receive the refresh token as part of the body.

https://github.com/nhost/nhost-js-sdk/blob/9d3d34c29e4c078abb591fcdc96eee4728c2e5f6/src/Auth.ts#L161-L171

https://github.com/nhost/nhost-js-sdk/blob/9d3d34c29e4c078abb591fcdc96eee4728c2e5f6/src/Auth.ts#L570-L574