Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support SameSite cookie #50

Merged
merged 7 commits into from
Dec 13, 2022
Merged

Support SameSite cookie #50

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
15d2534
Encode illegal characters inside cookies and change cookies parsing l…
Dec 5, 2022
f1e4c4c
Release 1.3.1 (#49)
borisfba Dec 5, 2022
428e6e6
feat: support SameSite cookie directive
Dec 5, 2022
abb9a4d
Merge branch 'main' into feat/sameSiteCookie
Dec 5, 2022
cd02825
fix: merge conflicts
Dec 5, 2022
f8da6f6
Merge branch 'awslabs:main' into feat/sameSiteCookie
ckifer Dec 13, 2022
49321f0
fix: documentation, declare union type values, make sameSite optional…
Dec 13, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 45 additions & 0 deletions __tests__/index.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -148,6 +148,46 @@ describe('private functions', () => {
expect(authenticatorWithHttpOnly._jwtVerifier.verify).toHaveBeenCalled();
});

test('should set SameSite on cookies', async () => {
const authenticatorWithSameSite = new Authenticator({
region: 'us-east-1',
userPoolId: 'us-east-1_abcdef123',
userPoolAppId: '123456789qwertyuiop987abcd',
userPoolDomain: 'my-cognito-domain.auth.us-east-1.amazoncognito.com',
cookieExpirationDays: 365,
disableCookieDomain: false,
httpOnly: true,
logLevel: 'error',
sameSite: 'Strict',
});
authenticatorWithSameSite._jwtVerifier.cacheJwks(jwksData);

const username = 'toto';
const domain = 'example.com';
const path = '/test';
jest.spyOn(authenticatorWithSameSite._jwtVerifier, 'verify');
authenticatorWithSameSite._jwtVerifier.verify.mockReturnValueOnce(Promise.resolve({ token_use: 'id', 'cognito:username': username }));

const response = await authenticatorWithSameSite._getRedirectResponse(tokenData, domain, path);
expect(response).toMatchObject({
status: '302',
headers: {
location: [{
key: 'Location',
value: path,
}],
},
});
expect(response.headers['set-cookie']).toEqual(expect.arrayContaining([
{key: 'Set-Cookie', value: `CognitoIdentityServiceProvider.123456789qwertyuiop987abcd.${username}.accessToken=${tokenData.access_token}; Domain=${domain}; Expires=${DATE.toUTCString()}; Secure; HttpOnly; SameSite=Strict`},
{key: 'Set-Cookie', value: `CognitoIdentityServiceProvider.123456789qwertyuiop987abcd.${username}.refreshToken=${tokenData.refresh_token}; Domain=${domain}; Expires=${DATE.toUTCString()}; Secure; HttpOnly; SameSite=Strict`},
{key: 'Set-Cookie', value: `CognitoIdentityServiceProvider.123456789qwertyuiop987abcd.${username}.tokenScopesString=phone%20email%20profile%20openid%20aws.cognito.signin.user.admin; Domain=${domain}; Expires=${DATE.toUTCString()}; Secure; HttpOnly; SameSite=Strict`},
{key: 'Set-Cookie', value: `CognitoIdentityServiceProvider.123456789qwertyuiop987abcd.${username}.idToken=${tokenData.id_token}; Domain=${domain}; Expires=${DATE.toUTCString()}; Secure; HttpOnly; SameSite=Strict`},
{key: 'Set-Cookie', value: `CognitoIdentityServiceProvider.123456789qwertyuiop987abcd.LastAuthUser=${username}; Domain=${domain}; Expires=${DATE.toUTCString()}; Secure; HttpOnly; SameSite=Strict`},
]));
expect(authenticatorWithSameSite._jwtVerifier.verify).toHaveBeenCalled();
});

test('should getIdTokenFromCookie', () => {
const appClientName = 'toto,./;;..-_lol123';
expect(
Expand Down Expand Up @@ -212,6 +252,11 @@ describe('createAuthenticator', () => {
expect(typeof new Authenticator(params)).toBe('object');
});

test('should create authenticator with unvalidated samesite', () => {
params.sameSite = '123';
expect(() => new Authenticator(params)).toThrow('Expected params');
});

test('should fail when creating authenticator without params', () => {
// @ts-ignore
// ts-ignore is used here to override typescript's type check in the constructor
Expand Down
11 changes: 10 additions & 1 deletion src/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,9 @@ import { parse, stringify } from 'querystring';
import pino from 'pino';
import { CognitoJwtVerifier } from 'aws-jwt-verify';
import { CloudFrontRequestEvent, CloudFrontRequestResult } from 'aws-lambda';
import { CookieAttributes, Cookies } from './util/cookie';
import { CookieAttributes, Cookies, SameSite } from './util/cookie';



interface AuthenticatorParams {
region: string;
Expand All @@ -14,6 +16,7 @@ interface AuthenticatorParams {
cookieExpirationDays?: number;
disableCookieDomain?: boolean;
httpOnly?: boolean;
sameSite?: SameSite;
logLevel?: 'fatal' | 'error' | 'warn' | 'info' | 'debug' | 'trace' | 'silent';
}

Expand All @@ -26,6 +29,7 @@ export class Authenticator {
_cookieExpirationDays: number;
_disableCookieDomain: boolean;
_httpOnly: boolean;
_sameSite: SameSite;
ckifer marked this conversation as resolved.
Show resolved Hide resolved
_cookieBase: string;
_logger;
_jwtVerifier;
Expand All @@ -40,6 +44,7 @@ export class Authenticator {
this._cookieExpirationDays = params.cookieExpirationDays || 365;
this._disableCookieDomain = ('disableCookieDomain' in params && params.disableCookieDomain === true);
this._httpOnly = ('httpOnly' in params && params.httpOnly === true);
this._sameSite = params.sameSite;
this._cookieBase = `CognitoIdentityServiceProvider.${params.userPoolAppId}`;
this._logger = pino({
level: params.logLevel || 'silent', // Default to silent
Expand Down Expand Up @@ -75,6 +80,9 @@ export class Authenticator {
if ('httpOnly' in params && typeof params.httpOnly !== 'boolean') {
throw new Error('Expected params.httpOnly to be a boolean');
}
if ('sameSite' in params && !['Strict', 'Lax', 'None'].includes(params.sameSite)) {
borisfba marked this conversation as resolved.
Show resolved Hide resolved
throw new Error('Expected params.sameSite to be a Strict || Lax || None');
}
}

/**
Expand Down Expand Up @@ -127,6 +135,7 @@ export class Authenticator {
expires: new Date(Date.now() + this._cookieExpirationDays * 864e+5),
secure: true,
httpOnly: this._httpOnly,
sameSite: this._sameSite,
};
const cookies = [
Cookies.serialize(`${usernameBase}.accessToken`, tokens.access_token, cookieAttributes),
Expand Down
9 changes: 9 additions & 0 deletions src/util/cookie.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@ export interface Cookie {
value: string;
}

export type SameSite = 'Strict' | 'Lax' | 'None';
borisfba marked this conversation as resolved.
Show resolved Hide resolved

/**
* Cookie attributes to be used inside 'Set-Cookie' header
*/
Expand All @@ -27,6 +29,12 @@ export interface CookieAttributes {
*/
httpOnly?: boolean;

/**
* The SameSite attribute allows you to declare if your cookie should be restricted to a first-party or same-site context.
* Refer to {@link https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-samesite-cookiesRFC 6265 section 4.1.2.7.} for more details.
ckifer marked this conversation as resolved.
Show resolved Hide resolved
*/
sameSite?: SameSite;

/**
* The Max-Age attribute indicates the maximum lifetime of the cookie, represented as the number of seconds until
* the cookie expires.
Expand Down Expand Up @@ -94,6 +102,7 @@ export class Cookies {
...(attributes.maxAge ? [`Max-Age=${attributes.maxAge}`] : []),
...(attributes.secure ? ['Secure'] : []),
...(attributes.httpOnly ? ['HttpOnly'] : []),
...(attributes.sameSite ? [`SameSite=${attributes.sameSite}`] : []),
].join('; ');
}

Expand Down