SameSite config not respected by auth cookie

[madaster97]

Describe the problem

The auth_verification cookie does not respect the SameSite attribute passed in config.session.cookie.sameSite.

This is expected for form_post response modes, where None is used to ensure the cookie is included in the cross-site POST response, but for other response modes, the library currently defaults to Lax, which breaks some deployments.

What was the expected behavior?

For response modes other than form_post, the SameSite attribute on the auth_verification cookie should respect the config attribute.

Specifically, I was trying to run my application within an iframe from a trusted origin, using SameSite=None for my cookies and validating the referer in my application. When I attempted to do a login flow, my auth_verification cookie wasn't setting, since SameSite=Lax was preventing the cookie from setting in a cross-origin frame.

Reproduction

• Step 1: Spin up a sample application using a response mode of query and with a specific SameSite attribute configured.

auth({
    secret: '__test_session_secret__',
    clientID: '__test_client_id__',
    baseURL: 'https://example.org',
    issuerBaseURL: 'https://op.example.com',
    authRequired: false,
    clientSecret: '__test_client_secret__',
    session: {
        cookie: {
            sameSite: 'Strict'
        }
    },
    authorizationParams: {
        response_mode: 'query',
        response_type: 'code'
    })

• Step 2: Attempt a login flow, and see the auth_verification cookie comes back with SameSite=Lax rather than the configured Strict:
  auth_verification=...; Path=/; HttpOnly; Secure; SameSite=Lax

Environment

• Version of this library used: Latest version. 2.2.1
• Which framework are you using, if applicable: Express v4.17.0, Node v14.9.0
• Other modules/plugins/libraries that might be involved: None.

[adamjmcgrath]

Fixed by #188 - thanks @madaster97!