From 8b7a0cf405b3ec3586eda2461458abeb0b896e6d Mon Sep 17 00:00:00 2001 From: Philzen Date: Tue, 17 Dec 2024 00:27:27 +0100 Subject: [PATCH] [docs] Reflect new structure of cookie config object since RW 6.4 (#11781) See #9248 --------- Co-authored-by: Tobbe Lundberg --- docs/docs/auth/dbauth.md | 43 +++++++++++------- .../versioned_docs/version-6.x/auth/dbauth.md | 45 ++++++++++++------- .../versioned_docs/version-7.x/auth/dbauth.md | 45 ++++++++++++------- .../versioned_docs/version-8.0/auth/dbauth.md | 45 ++++++++++++------- .../versioned_docs/version-8.1/auth/dbauth.md | 45 ++++++++++++------- .../versioned_docs/version-8.2/auth/dbauth.md | 45 ++++++++++++------- .../versioned_docs/version-8.3/auth/dbauth.md | 45 ++++++++++++------- .../versioned_docs/version-8.4/auth/dbauth.md | 45 ++++++++++++------- 8 files changed, 223 insertions(+), 135 deletions(-) diff --git a/docs/docs/auth/dbauth.md b/docs/docs/auth/dbauth.md index b4207909941c..357c19da8c3d 100644 --- a/docs/docs/auth/dbauth.md +++ b/docs/docs/auth/dbauth.md @@ -316,14 +316,19 @@ These options determine how the cookie that tracks whether the client is authori ```javascript cookie: { - HttpOnly: true, - Path: '/', - SameSite: 'Strict', - Secure: true, - // Domain: 'example.com', + attributes: { + HttpOnly: true, + Path: '/', + SameSite: 'Strict', + Secure: true, + // Domain: 'example.com', + }, + // name: 'session_%port%', } ``` +As shown above the cookie name defaults to `'session_%port%'` but can also be customized, where `%port%` will be replaced with the port the api server is running on. + ### CORS config If you're using dbAuth and your api and web sides are deployed to different domains then you'll need to configure CORS for both GraphQL in general and dbAuth. You'll also need to enable a couple of options to be sure and send/accept credentials in XHR requests. For more info, see the complete [CORS doc](cors.md#cors-and-authentication). @@ -348,15 +353,19 @@ See [WebAuthn Configuration](#function-config) section below. By default, the session cookie will not have the `Domain` property set, which a browser will default to be the [current domain only](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#define_where_cookies_are_sent). If your site is spread across multiple domains (for example, your site is at `example.com` but your api-side is deployed to `api.example.com`) you'll need to explicitly set a Domain so that the cookie is accessible to both. -To do this, set the `cookie.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example: +To do this, set the `cookie.attributes.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example: -```json title="api/src/functions/auth.js" +```js title="api/src/functions/auth.js" cookie: { - HttpOnly: true, - Path: '/', - SameSite: 'Strict', - Secure: process.env.NODE_ENV !== 'development' ? true : false, - Domain: 'example.com' + attributes: { + HttpOnly: true, + Path: '/', + SameSite: 'Strict', + Secure: process.env.NODE_ENV !== 'development' ? true : false, + // highlight-next-line + Domain: 'example.com' + }, + // name: 'session_%port%' } ``` @@ -552,10 +561,12 @@ export const handler = async (event, context) => { }, cookie: { - HttpOnly: true, - Path: '/', - SameSite: 'Strict', - Secure: process.env.NODE_ENV !== 'development' ? true : false, + attributes: { + HttpOnly: true, + Path: '/', + SameSite: 'Strict', + Secure: process.env.NODE_ENV !== 'development' ? true : false, + }, }, forgotPassword: forgotPasswordOptions, diff --git a/docs/versioned_docs/version-6.x/auth/dbauth.md b/docs/versioned_docs/version-6.x/auth/dbauth.md index b87d4cf3a9f3..63afe9b9ab93 100644 --- a/docs/versioned_docs/version-6.x/auth/dbauth.md +++ b/docs/versioned_docs/version-6.x/auth/dbauth.md @@ -283,16 +283,21 @@ By default no setting is required. This is because each db has its own rules for These options determine how the cookie that tracks whether the client is authorized is stored in the browser. The default configuration should work for most use cases. If you serve your web and api sides from different domains you'll need to make some changes: set `SameSite` to `None` and then add [CORS configuration](#cors-config). -```javascript +```js title="api/src/functions/auth.js" cookie: { - HttpOnly: true, - Path: '/', - SameSite: 'Strict', - Secure: true, - // Domain: 'example.com', + attributes: { + HttpOnly: true, + Path: '/', + SameSite: 'Strict', + Secure: true, + // Domain: 'example.com', + }, + // name: 'session_%port%' } ``` +As shown above the cookie name defaults to `'session_%port%'` but can also be customized, where `%port%` will be replaced with the port the api server is running on. + ### CORS config If you're using dbAuth and your api and web sides are deployed to different domains then you'll need to configure CORS for both GraphQL in general and dbAuth. You'll also need to enable a couple of options to be sure and send/accept credentials in XHR requests. For more info, see the complete [CORS doc](cors.md#cors-and-authentication). @@ -317,15 +322,19 @@ See [WebAuthn Configuration](#function-config) section below. By default, the session cookie will not have the `Domain` property set, which a browser will default to be the [current domain only](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#define_where_cookies_are_sent). If your site is spread across multiple domains (for example, your site is at `example.com` but your api-side is deployed to `api.example.com`) you'll need to explicitly set a Domain so that the cookie is accessible to both. -To do this, set the `cookie.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example: +To do this, set the `cookie.attributes.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example: -```json title="api/src/functions/auth.js" +```js title="api/src/functions/auth.js" cookie: { - HttpOnly: true, - Path: '/', - SameSite: 'Strict', - Secure: process.env.NODE_ENV !== 'development' ? true : false, - Domain: 'example.com' + attributes: { + HttpOnly: true, + Path: '/', + SameSite: 'Strict', + Secure: process.env.NODE_ENV !== 'development' ? true : false, + // highlight-next-line + Domain: 'example.com' + }, + // name: 'session_%port%' } ``` @@ -520,10 +529,12 @@ export const handler = async (event, context) => { }, cookie: { - HttpOnly: true, - Path: '/', - SameSite: 'Strict', - Secure: process.env.NODE_ENV !== 'development' ? true : false, + attributes: { + HttpOnly: true, + Path: '/', + SameSite: 'Strict', + Secure: process.env.NODE_ENV !== 'development' ? true : false, + } }, forgotPassword: forgotPasswordOptions, diff --git a/docs/versioned_docs/version-7.x/auth/dbauth.md b/docs/versioned_docs/version-7.x/auth/dbauth.md index 7bb395831159..12a2cf2c22af 100644 --- a/docs/versioned_docs/version-7.x/auth/dbauth.md +++ b/docs/versioned_docs/version-7.x/auth/dbauth.md @@ -311,16 +311,21 @@ By default no setting is required. This is because each db has its own rules for These options determine how the cookie that tracks whether the client is authorized is stored in the browser. The default configuration should work for most use cases. If you serve your web and api sides from different domains you'll need to make some changes: set `SameSite` to `None` and then add [CORS configuration](#cors-config). -```javascript +```js title="api/src/functions/auth.js" cookie: { - HttpOnly: true, - Path: '/', - SameSite: 'Strict', - Secure: true, - // Domain: 'example.com', + attributes: { + HttpOnly: true, + Path: '/', + SameSite: 'Strict', + Secure: true, + // Domain: 'example.com', + }, + // name: 'session_%port%' } ``` +As shown above the cookie name defaults to `'session_%port%'` but can also be customized, where `%port%` will be replaced with the port the api server is running on. + ### CORS config If you're using dbAuth and your api and web sides are deployed to different domains then you'll need to configure CORS for both GraphQL in general and dbAuth. You'll also need to enable a couple of options to be sure and send/accept credentials in XHR requests. For more info, see the complete [CORS doc](cors.md#cors-and-authentication). @@ -345,15 +350,19 @@ See [WebAuthn Configuration](#function-config) section below. By default, the session cookie will not have the `Domain` property set, which a browser will default to be the [current domain only](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#define_where_cookies_are_sent). If your site is spread across multiple domains (for example, your site is at `example.com` but your api-side is deployed to `api.example.com`) you'll need to explicitly set a Domain so that the cookie is accessible to both. -To do this, set the `cookie.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example: +To do this, set the `cookie.attributes.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example: -```json title="api/src/functions/auth.js" +```js title="api/src/functions/auth.js" cookie: { - HttpOnly: true, - Path: '/', - SameSite: 'Strict', - Secure: process.env.NODE_ENV !== 'development' ? true : false, - Domain: 'example.com' + attributes: { + HttpOnly: true, + Path: '/', + SameSite: 'Strict', + Secure: process.env.NODE_ENV !== 'development' ? true : false, + // highlight-next-line + Domain: 'example.com' + }, + // name: 'session_%port%' } ``` @@ -550,10 +559,12 @@ export const handler = async (event, context) => { }, cookie: { - HttpOnly: true, - Path: '/', - SameSite: 'Strict', - Secure: process.env.NODE_ENV !== 'development' ? true : false, + attributes: { + HttpOnly: true, + Path: '/', + SameSite: 'Strict', + Secure: process.env.NODE_ENV !== 'development' ? true : false, + } }, forgotPassword: forgotPasswordOptions, diff --git a/docs/versioned_docs/version-8.0/auth/dbauth.md b/docs/versioned_docs/version-8.0/auth/dbauth.md index b4207909941c..d0234d5d10c6 100644 --- a/docs/versioned_docs/version-8.0/auth/dbauth.md +++ b/docs/versioned_docs/version-8.0/auth/dbauth.md @@ -314,16 +314,21 @@ By default no setting is required. This is because each db has its own rules for These options determine how the cookie that tracks whether the client is authorized is stored in the browser. The default configuration should work for most use cases. If you serve your web and api sides from different domains you'll need to make some changes: set `SameSite` to `None` and then add [CORS configuration](#cors-config). -```javascript +```js title="api/src/functions/auth.js" cookie: { - HttpOnly: true, - Path: '/', - SameSite: 'Strict', - Secure: true, - // Domain: 'example.com', + attributes: { + HttpOnly: true, + Path: '/', + SameSite: 'Strict', + Secure: true, + // Domain: 'example.com', + }, + // name: 'session_%port%' } ``` +As shown above the cookie name defaults to `'session_%port%'` but can also be customized, where `%port%` will be replaced with the port the api server is running on. + ### CORS config If you're using dbAuth and your api and web sides are deployed to different domains then you'll need to configure CORS for both GraphQL in general and dbAuth. You'll also need to enable a couple of options to be sure and send/accept credentials in XHR requests. For more info, see the complete [CORS doc](cors.md#cors-and-authentication). @@ -348,15 +353,19 @@ See [WebAuthn Configuration](#function-config) section below. By default, the session cookie will not have the `Domain` property set, which a browser will default to be the [current domain only](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#define_where_cookies_are_sent). If your site is spread across multiple domains (for example, your site is at `example.com` but your api-side is deployed to `api.example.com`) you'll need to explicitly set a Domain so that the cookie is accessible to both. -To do this, set the `cookie.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example: +To do this, set the `cookie.attributes.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example: -```json title="api/src/functions/auth.js" +```js title="api/src/functions/auth.js" cookie: { - HttpOnly: true, - Path: '/', - SameSite: 'Strict', - Secure: process.env.NODE_ENV !== 'development' ? true : false, - Domain: 'example.com' + attributes: { + HttpOnly: true, + Path: '/', + SameSite: 'Strict', + Secure: process.env.NODE_ENV !== 'development' ? true : false, + // highlight-next-line + Domain: 'example.com' + }, + // name: 'session_%port%' } ``` @@ -552,10 +561,12 @@ export const handler = async (event, context) => { }, cookie: { - HttpOnly: true, - Path: '/', - SameSite: 'Strict', - Secure: process.env.NODE_ENV !== 'development' ? true : false, + attributes: { + HttpOnly: true, + Path: '/', + SameSite: 'Strict', + Secure: process.env.NODE_ENV !== 'development' ? true : false, + } }, forgotPassword: forgotPasswordOptions, diff --git a/docs/versioned_docs/version-8.1/auth/dbauth.md b/docs/versioned_docs/version-8.1/auth/dbauth.md index b4207909941c..d0234d5d10c6 100644 --- a/docs/versioned_docs/version-8.1/auth/dbauth.md +++ b/docs/versioned_docs/version-8.1/auth/dbauth.md @@ -314,16 +314,21 @@ By default no setting is required. This is because each db has its own rules for These options determine how the cookie that tracks whether the client is authorized is stored in the browser. The default configuration should work for most use cases. If you serve your web and api sides from different domains you'll need to make some changes: set `SameSite` to `None` and then add [CORS configuration](#cors-config). -```javascript +```js title="api/src/functions/auth.js" cookie: { - HttpOnly: true, - Path: '/', - SameSite: 'Strict', - Secure: true, - // Domain: 'example.com', + attributes: { + HttpOnly: true, + Path: '/', + SameSite: 'Strict', + Secure: true, + // Domain: 'example.com', + }, + // name: 'session_%port%' } ``` +As shown above the cookie name defaults to `'session_%port%'` but can also be customized, where `%port%` will be replaced with the port the api server is running on. + ### CORS config If you're using dbAuth and your api and web sides are deployed to different domains then you'll need to configure CORS for both GraphQL in general and dbAuth. You'll also need to enable a couple of options to be sure and send/accept credentials in XHR requests. For more info, see the complete [CORS doc](cors.md#cors-and-authentication). @@ -348,15 +353,19 @@ See [WebAuthn Configuration](#function-config) section below. By default, the session cookie will not have the `Domain` property set, which a browser will default to be the [current domain only](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#define_where_cookies_are_sent). If your site is spread across multiple domains (for example, your site is at `example.com` but your api-side is deployed to `api.example.com`) you'll need to explicitly set a Domain so that the cookie is accessible to both. -To do this, set the `cookie.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example: +To do this, set the `cookie.attributes.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example: -```json title="api/src/functions/auth.js" +```js title="api/src/functions/auth.js" cookie: { - HttpOnly: true, - Path: '/', - SameSite: 'Strict', - Secure: process.env.NODE_ENV !== 'development' ? true : false, - Domain: 'example.com' + attributes: { + HttpOnly: true, + Path: '/', + SameSite: 'Strict', + Secure: process.env.NODE_ENV !== 'development' ? true : false, + // highlight-next-line + Domain: 'example.com' + }, + // name: 'session_%port%' } ``` @@ -552,10 +561,12 @@ export const handler = async (event, context) => { }, cookie: { - HttpOnly: true, - Path: '/', - SameSite: 'Strict', - Secure: process.env.NODE_ENV !== 'development' ? true : false, + attributes: { + HttpOnly: true, + Path: '/', + SameSite: 'Strict', + Secure: process.env.NODE_ENV !== 'development' ? true : false, + } }, forgotPassword: forgotPasswordOptions, diff --git a/docs/versioned_docs/version-8.2/auth/dbauth.md b/docs/versioned_docs/version-8.2/auth/dbauth.md index b4207909941c..d0234d5d10c6 100644 --- a/docs/versioned_docs/version-8.2/auth/dbauth.md +++ b/docs/versioned_docs/version-8.2/auth/dbauth.md @@ -314,16 +314,21 @@ By default no setting is required. This is because each db has its own rules for These options determine how the cookie that tracks whether the client is authorized is stored in the browser. The default configuration should work for most use cases. If you serve your web and api sides from different domains you'll need to make some changes: set `SameSite` to `None` and then add [CORS configuration](#cors-config). -```javascript +```js title="api/src/functions/auth.js" cookie: { - HttpOnly: true, - Path: '/', - SameSite: 'Strict', - Secure: true, - // Domain: 'example.com', + attributes: { + HttpOnly: true, + Path: '/', + SameSite: 'Strict', + Secure: true, + // Domain: 'example.com', + }, + // name: 'session_%port%' } ``` +As shown above the cookie name defaults to `'session_%port%'` but can also be customized, where `%port%` will be replaced with the port the api server is running on. + ### CORS config If you're using dbAuth and your api and web sides are deployed to different domains then you'll need to configure CORS for both GraphQL in general and dbAuth. You'll also need to enable a couple of options to be sure and send/accept credentials in XHR requests. For more info, see the complete [CORS doc](cors.md#cors-and-authentication). @@ -348,15 +353,19 @@ See [WebAuthn Configuration](#function-config) section below. By default, the session cookie will not have the `Domain` property set, which a browser will default to be the [current domain only](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#define_where_cookies_are_sent). If your site is spread across multiple domains (for example, your site is at `example.com` but your api-side is deployed to `api.example.com`) you'll need to explicitly set a Domain so that the cookie is accessible to both. -To do this, set the `cookie.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example: +To do this, set the `cookie.attributes.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example: -```json title="api/src/functions/auth.js" +```js title="api/src/functions/auth.js" cookie: { - HttpOnly: true, - Path: '/', - SameSite: 'Strict', - Secure: process.env.NODE_ENV !== 'development' ? true : false, - Domain: 'example.com' + attributes: { + HttpOnly: true, + Path: '/', + SameSite: 'Strict', + Secure: process.env.NODE_ENV !== 'development' ? true : false, + // highlight-next-line + Domain: 'example.com' + }, + // name: 'session_%port%' } ``` @@ -552,10 +561,12 @@ export const handler = async (event, context) => { }, cookie: { - HttpOnly: true, - Path: '/', - SameSite: 'Strict', - Secure: process.env.NODE_ENV !== 'development' ? true : false, + attributes: { + HttpOnly: true, + Path: '/', + SameSite: 'Strict', + Secure: process.env.NODE_ENV !== 'development' ? true : false, + } }, forgotPassword: forgotPasswordOptions, diff --git a/docs/versioned_docs/version-8.3/auth/dbauth.md b/docs/versioned_docs/version-8.3/auth/dbauth.md index b4207909941c..d0234d5d10c6 100644 --- a/docs/versioned_docs/version-8.3/auth/dbauth.md +++ b/docs/versioned_docs/version-8.3/auth/dbauth.md @@ -314,16 +314,21 @@ By default no setting is required. This is because each db has its own rules for These options determine how the cookie that tracks whether the client is authorized is stored in the browser. The default configuration should work for most use cases. If you serve your web and api sides from different domains you'll need to make some changes: set `SameSite` to `None` and then add [CORS configuration](#cors-config). -```javascript +```js title="api/src/functions/auth.js" cookie: { - HttpOnly: true, - Path: '/', - SameSite: 'Strict', - Secure: true, - // Domain: 'example.com', + attributes: { + HttpOnly: true, + Path: '/', + SameSite: 'Strict', + Secure: true, + // Domain: 'example.com', + }, + // name: 'session_%port%' } ``` +As shown above the cookie name defaults to `'session_%port%'` but can also be customized, where `%port%` will be replaced with the port the api server is running on. + ### CORS config If you're using dbAuth and your api and web sides are deployed to different domains then you'll need to configure CORS for both GraphQL in general and dbAuth. You'll also need to enable a couple of options to be sure and send/accept credentials in XHR requests. For more info, see the complete [CORS doc](cors.md#cors-and-authentication). @@ -348,15 +353,19 @@ See [WebAuthn Configuration](#function-config) section below. By default, the session cookie will not have the `Domain` property set, which a browser will default to be the [current domain only](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#define_where_cookies_are_sent). If your site is spread across multiple domains (for example, your site is at `example.com` but your api-side is deployed to `api.example.com`) you'll need to explicitly set a Domain so that the cookie is accessible to both. -To do this, set the `cookie.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example: +To do this, set the `cookie.attributes.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example: -```json title="api/src/functions/auth.js" +```js title="api/src/functions/auth.js" cookie: { - HttpOnly: true, - Path: '/', - SameSite: 'Strict', - Secure: process.env.NODE_ENV !== 'development' ? true : false, - Domain: 'example.com' + attributes: { + HttpOnly: true, + Path: '/', + SameSite: 'Strict', + Secure: process.env.NODE_ENV !== 'development' ? true : false, + // highlight-next-line + Domain: 'example.com' + }, + // name: 'session_%port%' } ``` @@ -552,10 +561,12 @@ export const handler = async (event, context) => { }, cookie: { - HttpOnly: true, - Path: '/', - SameSite: 'Strict', - Secure: process.env.NODE_ENV !== 'development' ? true : false, + attributes: { + HttpOnly: true, + Path: '/', + SameSite: 'Strict', + Secure: process.env.NODE_ENV !== 'development' ? true : false, + } }, forgotPassword: forgotPasswordOptions, diff --git a/docs/versioned_docs/version-8.4/auth/dbauth.md b/docs/versioned_docs/version-8.4/auth/dbauth.md index b4207909941c..d0234d5d10c6 100644 --- a/docs/versioned_docs/version-8.4/auth/dbauth.md +++ b/docs/versioned_docs/version-8.4/auth/dbauth.md @@ -314,16 +314,21 @@ By default no setting is required. This is because each db has its own rules for These options determine how the cookie that tracks whether the client is authorized is stored in the browser. The default configuration should work for most use cases. If you serve your web and api sides from different domains you'll need to make some changes: set `SameSite` to `None` and then add [CORS configuration](#cors-config). -```javascript +```js title="api/src/functions/auth.js" cookie: { - HttpOnly: true, - Path: '/', - SameSite: 'Strict', - Secure: true, - // Domain: 'example.com', + attributes: { + HttpOnly: true, + Path: '/', + SameSite: 'Strict', + Secure: true, + // Domain: 'example.com', + }, + // name: 'session_%port%' } ``` +As shown above the cookie name defaults to `'session_%port%'` but can also be customized, where `%port%` will be replaced with the port the api server is running on. + ### CORS config If you're using dbAuth and your api and web sides are deployed to different domains then you'll need to configure CORS for both GraphQL in general and dbAuth. You'll also need to enable a couple of options to be sure and send/accept credentials in XHR requests. For more info, see the complete [CORS doc](cors.md#cors-and-authentication). @@ -348,15 +353,19 @@ See [WebAuthn Configuration](#function-config) section below. By default, the session cookie will not have the `Domain` property set, which a browser will default to be the [current domain only](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#define_where_cookies_are_sent). If your site is spread across multiple domains (for example, your site is at `example.com` but your api-side is deployed to `api.example.com`) you'll need to explicitly set a Domain so that the cookie is accessible to both. -To do this, set the `cookie.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example: +To do this, set the `cookie.attributes.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example: -```json title="api/src/functions/auth.js" +```js title="api/src/functions/auth.js" cookie: { - HttpOnly: true, - Path: '/', - SameSite: 'Strict', - Secure: process.env.NODE_ENV !== 'development' ? true : false, - Domain: 'example.com' + attributes: { + HttpOnly: true, + Path: '/', + SameSite: 'Strict', + Secure: process.env.NODE_ENV !== 'development' ? true : false, + // highlight-next-line + Domain: 'example.com' + }, + // name: 'session_%port%' } ``` @@ -552,10 +561,12 @@ export const handler = async (event, context) => { }, cookie: { - HttpOnly: true, - Path: '/', - SameSite: 'Strict', - Secure: process.env.NODE_ENV !== 'development' ? true : false, + attributes: { + HttpOnly: true, + Path: '/', + SameSite: 'Strict', + Secure: process.env.NODE_ENV !== 'development' ? true : false, + } }, forgotPassword: forgotPasswordOptions,