Skip to content
This repository has been archived by the owner on Apr 11, 2024. It is now read-only.

Commit

Permalink
Merge pull request #100 from Shopify/change_cookies_samesite_to_lax
Browse files Browse the repository at this point in the history
Set OAuth cookies SameSite to lax
  • Loading branch information
paulomarg authored Feb 9, 2021
2 parents ce3671a + 8258a6a commit 03ec242
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 2 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ and adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
- Webhooks types are now exported outside the library [#91](https://github.com/shopify/shopify-node-api/pull/91)
### Fixed
- Use cryptographically random bytes to generate nonce [#98](https://github.com/Shopify/shopify-node-api/pull/98)
- Stop using `SameSite=none` cookies for OAuth, using `lax` instead [#100](https://github.com/Shopify/shopify-node-api/pull/100)

## [0.3.1] - 2021-02-03
### Fixed
Expand Down
4 changes: 2 additions & 2 deletions src/auth/oauth/oauth.ts
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ const ShopifyOAuth = {
cookies.set(ShopifyOAuth.SESSION_COOKIE_NAME, session.id, {
signed: true,
expires: new Date(Date.now() + 60000),
sameSite: 'none',
sameSite: 'lax',
secure: true,
});

Expand Down Expand Up @@ -173,7 +173,7 @@ const ShopifyOAuth = {
cookies.set(ShopifyOAuth.SESSION_COOKIE_NAME, currentSession.id, {
signed: true,
expires: oauthSessionExpiration,
sameSite: 'none',
sameSite: 'lax',
secure: true,
});

Expand Down

0 comments on commit 03ec242

Please sign in to comment.