You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Some examples using OAuth 2.0 based authentication with cookie doesn't work correctly in modern browser like Google Chrome and Firefox.
In these examples, state value are not set correctly in cookie because the requests for Cloud Functions are sent in cross domain and are not Top Level Navigation.
If SameSite attribute are not set, browsers treats it as Lax value by default. So I think SameSite attribute should be set to None.
Edit
The solution in #849 seems to be better, so the example in spotify-auth followed this.
State cookie is sent through the same domain and use __session key instead of state.
The examples of Instagram and Linkedin are fixed by #849, so I reverted modification for these examples.
@nokazn I ran into the same issues with authentication (for spotify) and tried out this solution. When setting setting sameSite: 'none' I received this error that caused the function not to run:
TypeError: option sameSite is invalid
at Object.serialize (/workspace/node_modules/cookie/index.js:174:15)
at ServerResponse.res.cookie (/workspace/node_modules/express/lib/response.js:853:36)
Changing it up to SameSite: 'none' with the first S uppercased solved the error. Have you seen that issue at all?
Changing it up to SameSite: 'none' with the first S uppercased solved the error. Have you seen that issue at all?
I tried some times, but couldn't reproduce the above error in my environment.
I think it's a dependency problem. The version of cookie package which express in firebase-functions, or cooike-parser uses may be old. cookie@0.3.x cannot address sameSite: 'none' attribute.
You can also check here.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Some examples using OAuth 2.0 based authentication with cookie doesn't work correctly in modern browser like Google Chrome and Firefox.
In these examples,
statevalue are not set correctly in cookie because the requests for Cloud Functions are sent in cross domain and are not Top Level Navigation.If
SameSiteattribute are not set, browsers treats it asLaxvalue by default.So I thinkSameSiteattribute should be set toNone.Edit
The solution in #849 seems to be better, so the example in spotify-auth followed this.
State cookie is sent through the same domain and use
__sessionkey instead ofstate.The examples of Instagram and Linkedin are fixed by #849, so I reverted modification for these examples.