From c3812caf6842496ea90bb6bbf159b22ac5aa56ae Mon Sep 17 00:00:00 2001 From: Philzen Date: Sun, 15 Dec 2024 17:55:01 +0100 Subject: [PATCH 01/10] Reflect new structure of cookie config object since RW 6.4 See #9248 --- docs/docs/auth/dbauth.md | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/docs/docs/auth/dbauth.md b/docs/docs/auth/dbauth.md index b4207909941c..490769c8af99 100644 --- a/docs/docs/auth/dbauth.md +++ b/docs/docs/auth/dbauth.md @@ -316,14 +316,19 @@ These options determine how the cookie that tracks whether the client is authori ```javascript cookie: { - HttpOnly: true, - Path: '/', - SameSite: 'Strict', - Secure: true, - // Domain: 'example.com', + attributes: { + HttpOnly: true, + Path: '/', + SameSite: 'Strict', + Secure: true, + // Domain: 'example.com', + }, + // name: 'session_%port%' } ``` +As shown above the cookie name defaults to `'session_%port%'` but can also be customized, where `%port% will be replaced with the port the api server is running on. + ### CORS config If you're using dbAuth and your api and web sides are deployed to different domains then you'll need to configure CORS for both GraphQL in general and dbAuth. You'll also need to enable a couple of options to be sure and send/accept credentials in XHR requests. For more info, see the complete [CORS doc](cors.md#cors-and-authentication). From 00c6b443579f17237e2e00cf194bd384d24e94c4 Mon Sep 17 00:00:00 2001 From: Philzen Date: Sun, 15 Dec 2024 18:01:24 +0100 Subject: [PATCH 02/10] Reflect new structure of cookie config object since RW 6.4 Also add highlighting for the relevant line --- docs/docs/auth/dbauth.md | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/docs/docs/auth/dbauth.md b/docs/docs/auth/dbauth.md index 490769c8af99..1c34f8e76a75 100644 --- a/docs/docs/auth/dbauth.md +++ b/docs/docs/auth/dbauth.md @@ -357,11 +357,15 @@ To do this, set the `cookie.Domain` property in your `api/src/functions/auth.js` ```json title="api/src/functions/auth.js" cookie: { - HttpOnly: true, - Path: '/', - SameSite: 'Strict', - Secure: process.env.NODE_ENV !== 'development' ? true : false, - Domain: 'example.com' + attributes: { + HttpOnly: true, + Path: '/', + SameSite: 'Strict', + Secure: process.env.NODE_ENV !== 'development' ? true : false, + // highlight-next-line + Domain: 'example.com' + }, + // name: 'session_%port%' } ``` From 978ad2b6c3b59363fb8fd34852e369ecceb478bb Mon Sep 17 00:00:00 2001 From: Philzen Date: Mon, 16 Dec 2024 14:35:39 +0100 Subject: [PATCH 03/10] =?UTF-8?q?Fix=20cookie.domain=20=E2=86=92=20cookie.?= =?UTF-8?q?attributes.domain?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- docs/docs/auth/dbauth.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/docs/auth/dbauth.md b/docs/docs/auth/dbauth.md index 1c34f8e76a75..8acfb9cdf97a 100644 --- a/docs/docs/auth/dbauth.md +++ b/docs/docs/auth/dbauth.md @@ -353,7 +353,7 @@ See [WebAuthn Configuration](#function-config) section below. By default, the session cookie will not have the `Domain` property set, which a browser will default to be the [current domain only](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#define_where_cookies_are_sent). If your site is spread across multiple domains (for example, your site is at `example.com` but your api-side is deployed to `api.example.com`) you'll need to explicitly set a Domain so that the cookie is accessible to both. -To do this, set the `cookie.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example: +To do this, set the `cookie.attibutes.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example: ```json title="api/src/functions/auth.js" cookie: { From e8c0527bddbc5f3d78377a66a6e0fd239c096694 Mon Sep 17 00:00:00 2001 From: Tobbe Lundberg Date: Mon, 16 Dec 2024 14:40:11 +0100 Subject: [PATCH 04/10] Update docs/docs/auth/dbauth.md --- docs/docs/auth/dbauth.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/docs/auth/dbauth.md b/docs/docs/auth/dbauth.md index 8acfb9cdf97a..19a1b1bec6af 100644 --- a/docs/docs/auth/dbauth.md +++ b/docs/docs/auth/dbauth.md @@ -327,7 +327,7 @@ cookie: { } ``` -As shown above the cookie name defaults to `'session_%port%'` but can also be customized, where `%port% will be replaced with the port the api server is running on. +As shown above the cookie name defaults to `'session_%port%'` but can also be customized, where `%port%` will be replaced with the port the api server is running on. ### CORS config From 7907bedb684f62d765210f9ab58444f3b5dde23d Mon Sep 17 00:00:00 2001 From: Philzen Date: Mon, 16 Dec 2024 14:54:08 +0100 Subject: [PATCH 05/10] Reflect new structure of cookie config object since RW 6.4 --- .../versioned_docs/version-6.x/auth/dbauth.md | 35 ++++++++++++------- 1 file changed, 22 insertions(+), 13 deletions(-) diff --git a/docs/versioned_docs/version-6.x/auth/dbauth.md b/docs/versioned_docs/version-6.x/auth/dbauth.md index b87d4cf3a9f3..e6425e91ff70 100644 --- a/docs/versioned_docs/version-6.x/auth/dbauth.md +++ b/docs/versioned_docs/version-6.x/auth/dbauth.md @@ -283,16 +283,21 @@ By default no setting is required. This is because each db has its own rules for These options determine how the cookie that tracks whether the client is authorized is stored in the browser. The default configuration should work for most use cases. If you serve your web and api sides from different domains you'll need to make some changes: set `SameSite` to `None` and then add [CORS configuration](#cors-config). -```javascript +```js title="api/src/functions/auth.js" cookie: { - HttpOnly: true, - Path: '/', - SameSite: 'Strict', - Secure: true, - // Domain: 'example.com', + attributes: { + HttpOnly: true, + Path: '/', + SameSite: 'Strict', + Secure: true, + // Domain: 'example.com', + }, + // name: 'session_%port%' } ``` +As shown above the cookie name defaults to `'session_%port%'` but can also be customized, where `%port%` will be replaced with the port the api server is running on. + ### CORS config If you're using dbAuth and your api and web sides are deployed to different domains then you'll need to configure CORS for both GraphQL in general and dbAuth. You'll also need to enable a couple of options to be sure and send/accept credentials in XHR requests. For more info, see the complete [CORS doc](cors.md#cors-and-authentication). @@ -317,15 +322,19 @@ See [WebAuthn Configuration](#function-config) section below. By default, the session cookie will not have the `Domain` property set, which a browser will default to be the [current domain only](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#define_where_cookies_are_sent). If your site is spread across multiple domains (for example, your site is at `example.com` but your api-side is deployed to `api.example.com`) you'll need to explicitly set a Domain so that the cookie is accessible to both. -To do this, set the `cookie.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example: +To do this, set the `cookie.attibutes.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example: -```json title="api/src/functions/auth.js" +```js title="api/src/functions/auth.js" cookie: { - HttpOnly: true, - Path: '/', - SameSite: 'Strict', - Secure: process.env.NODE_ENV !== 'development' ? true : false, - Domain: 'example.com' + attributes: { + HttpOnly: true, + Path: '/', + SameSite: 'Strict', + Secure: process.env.NODE_ENV !== 'development' ? true : false, + // highlight-next-line + Domain: 'example.com' + }, + // name: 'session_%port%' } ``` From a1090de6fa918fd5012a84672d088b7742130a27 Mon Sep 17 00:00:00 2001 From: Philzen Date: Mon, 16 Dec 2024 16:28:51 +0100 Subject: [PATCH 06/10] Fix syntax hightlighting of js object with is not valid JSON --- docs/docs/auth/dbauth.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/docs/auth/dbauth.md b/docs/docs/auth/dbauth.md index 19a1b1bec6af..99f57708a8fc 100644 --- a/docs/docs/auth/dbauth.md +++ b/docs/docs/auth/dbauth.md @@ -355,7 +355,7 @@ By default, the session cookie will not have the `Domain` property set, which a To do this, set the `cookie.attibutes.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example: -```json title="api/src/functions/auth.js" +```js title="api/src/functions/auth.js" cookie: { attributes: { HttpOnly: true, From 985d0ccba2dc3a6d45eea27df9b75edcf4b76089 Mon Sep 17 00:00:00 2001 From: Philzen Date: Mon, 16 Dec 2024 16:29:13 +0100 Subject: [PATCH 07/10] Update versioned docs --- .../versioned_docs/version-7.x/auth/dbauth.md | 35 ++++++++++++------- .../versioned_docs/version-8.0/auth/dbauth.md | 35 ++++++++++++------- .../versioned_docs/version-8.1/auth/dbauth.md | 35 ++++++++++++------- .../versioned_docs/version-8.2/auth/dbauth.md | 35 ++++++++++++------- .../versioned_docs/version-8.3/auth/dbauth.md | 35 ++++++++++++------- .../versioned_docs/version-8.4/auth/dbauth.md | 35 ++++++++++++------- 6 files changed, 132 insertions(+), 78 deletions(-) diff --git a/docs/versioned_docs/version-7.x/auth/dbauth.md b/docs/versioned_docs/version-7.x/auth/dbauth.md index 7bb395831159..179036298b1a 100644 --- a/docs/versioned_docs/version-7.x/auth/dbauth.md +++ b/docs/versioned_docs/version-7.x/auth/dbauth.md @@ -311,16 +311,21 @@ By default no setting is required. This is because each db has its own rules for These options determine how the cookie that tracks whether the client is authorized is stored in the browser. The default configuration should work for most use cases. If you serve your web and api sides from different domains you'll need to make some changes: set `SameSite` to `None` and then add [CORS configuration](#cors-config). -```javascript +```js title="api/src/functions/auth.js" cookie: { - HttpOnly: true, - Path: '/', - SameSite: 'Strict', - Secure: true, - // Domain: 'example.com', + attributes: { + HttpOnly: true, + Path: '/', + SameSite: 'Strict', + Secure: true, + // Domain: 'example.com', + }, + // name: 'session_%port%' } ``` +As shown above the cookie name defaults to `'session_%port%'` but can also be customized, where `%port%` will be replaced with the port the api server is running on. + ### CORS config If you're using dbAuth and your api and web sides are deployed to different domains then you'll need to configure CORS for both GraphQL in general and dbAuth. You'll also need to enable a couple of options to be sure and send/accept credentials in XHR requests. For more info, see the complete [CORS doc](cors.md#cors-and-authentication). @@ -345,15 +350,19 @@ See [WebAuthn Configuration](#function-config) section below. By default, the session cookie will not have the `Domain` property set, which a browser will default to be the [current domain only](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#define_where_cookies_are_sent). If your site is spread across multiple domains (for example, your site is at `example.com` but your api-side is deployed to `api.example.com`) you'll need to explicitly set a Domain so that the cookie is accessible to both. -To do this, set the `cookie.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example: +To do this, set the `cookie.attibutes.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example: -```json title="api/src/functions/auth.js" +```js title="api/src/functions/auth.js" cookie: { - HttpOnly: true, - Path: '/', - SameSite: 'Strict', - Secure: process.env.NODE_ENV !== 'development' ? true : false, - Domain: 'example.com' + attributes: { + HttpOnly: true, + Path: '/', + SameSite: 'Strict', + Secure: process.env.NODE_ENV !== 'development' ? true : false, + // highlight-next-line + Domain: 'example.com' + }, + // name: 'session_%port%' } ``` diff --git a/docs/versioned_docs/version-8.0/auth/dbauth.md b/docs/versioned_docs/version-8.0/auth/dbauth.md index b4207909941c..de5fac9cbe21 100644 --- a/docs/versioned_docs/version-8.0/auth/dbauth.md +++ b/docs/versioned_docs/version-8.0/auth/dbauth.md @@ -314,16 +314,21 @@ By default no setting is required. This is because each db has its own rules for These options determine how the cookie that tracks whether the client is authorized is stored in the browser. The default configuration should work for most use cases. If you serve your web and api sides from different domains you'll need to make some changes: set `SameSite` to `None` and then add [CORS configuration](#cors-config). -```javascript +```js title="api/src/functions/auth.js" cookie: { - HttpOnly: true, - Path: '/', - SameSite: 'Strict', - Secure: true, - // Domain: 'example.com', + attributes: { + HttpOnly: true, + Path: '/', + SameSite: 'Strict', + Secure: true, + // Domain: 'example.com', + }, + // name: 'session_%port%' } ``` +As shown above the cookie name defaults to `'session_%port%'` but can also be customized, where `%port%` will be replaced with the port the api server is running on. + ### CORS config If you're using dbAuth and your api and web sides are deployed to different domains then you'll need to configure CORS for both GraphQL in general and dbAuth. You'll also need to enable a couple of options to be sure and send/accept credentials in XHR requests. For more info, see the complete [CORS doc](cors.md#cors-and-authentication). @@ -348,15 +353,19 @@ See [WebAuthn Configuration](#function-config) section below. By default, the session cookie will not have the `Domain` property set, which a browser will default to be the [current domain only](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#define_where_cookies_are_sent). If your site is spread across multiple domains (for example, your site is at `example.com` but your api-side is deployed to `api.example.com`) you'll need to explicitly set a Domain so that the cookie is accessible to both. -To do this, set the `cookie.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example: +To do this, set the `cookie.attibutes.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example: -```json title="api/src/functions/auth.js" +```js title="api/src/functions/auth.js" cookie: { - HttpOnly: true, - Path: '/', - SameSite: 'Strict', - Secure: process.env.NODE_ENV !== 'development' ? true : false, - Domain: 'example.com' + attributes: { + HttpOnly: true, + Path: '/', + SameSite: 'Strict', + Secure: process.env.NODE_ENV !== 'development' ? true : false, + // highlight-next-line + Domain: 'example.com' + }, + // name: 'session_%port%' } ``` diff --git a/docs/versioned_docs/version-8.1/auth/dbauth.md b/docs/versioned_docs/version-8.1/auth/dbauth.md index b4207909941c..de5fac9cbe21 100644 --- a/docs/versioned_docs/version-8.1/auth/dbauth.md +++ b/docs/versioned_docs/version-8.1/auth/dbauth.md @@ -314,16 +314,21 @@ By default no setting is required. This is because each db has its own rules for These options determine how the cookie that tracks whether the client is authorized is stored in the browser. The default configuration should work for most use cases. If you serve your web and api sides from different domains you'll need to make some changes: set `SameSite` to `None` and then add [CORS configuration](#cors-config). -```javascript +```js title="api/src/functions/auth.js" cookie: { - HttpOnly: true, - Path: '/', - SameSite: 'Strict', - Secure: true, - // Domain: 'example.com', + attributes: { + HttpOnly: true, + Path: '/', + SameSite: 'Strict', + Secure: true, + // Domain: 'example.com', + }, + // name: 'session_%port%' } ``` +As shown above the cookie name defaults to `'session_%port%'` but can also be customized, where `%port%` will be replaced with the port the api server is running on. + ### CORS config If you're using dbAuth and your api and web sides are deployed to different domains then you'll need to configure CORS for both GraphQL in general and dbAuth. You'll also need to enable a couple of options to be sure and send/accept credentials in XHR requests. For more info, see the complete [CORS doc](cors.md#cors-and-authentication). @@ -348,15 +353,19 @@ See [WebAuthn Configuration](#function-config) section below. By default, the session cookie will not have the `Domain` property set, which a browser will default to be the [current domain only](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#define_where_cookies_are_sent). If your site is spread across multiple domains (for example, your site is at `example.com` but your api-side is deployed to `api.example.com`) you'll need to explicitly set a Domain so that the cookie is accessible to both. -To do this, set the `cookie.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example: +To do this, set the `cookie.attibutes.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example: -```json title="api/src/functions/auth.js" +```js title="api/src/functions/auth.js" cookie: { - HttpOnly: true, - Path: '/', - SameSite: 'Strict', - Secure: process.env.NODE_ENV !== 'development' ? true : false, - Domain: 'example.com' + attributes: { + HttpOnly: true, + Path: '/', + SameSite: 'Strict', + Secure: process.env.NODE_ENV !== 'development' ? true : false, + // highlight-next-line + Domain: 'example.com' + }, + // name: 'session_%port%' } ``` diff --git a/docs/versioned_docs/version-8.2/auth/dbauth.md b/docs/versioned_docs/version-8.2/auth/dbauth.md index b4207909941c..de5fac9cbe21 100644 --- a/docs/versioned_docs/version-8.2/auth/dbauth.md +++ b/docs/versioned_docs/version-8.2/auth/dbauth.md @@ -314,16 +314,21 @@ By default no setting is required. This is because each db has its own rules for These options determine how the cookie that tracks whether the client is authorized is stored in the browser. The default configuration should work for most use cases. If you serve your web and api sides from different domains you'll need to make some changes: set `SameSite` to `None` and then add [CORS configuration](#cors-config). -```javascript +```js title="api/src/functions/auth.js" cookie: { - HttpOnly: true, - Path: '/', - SameSite: 'Strict', - Secure: true, - // Domain: 'example.com', + attributes: { + HttpOnly: true, + Path: '/', + SameSite: 'Strict', + Secure: true, + // Domain: 'example.com', + }, + // name: 'session_%port%' } ``` +As shown above the cookie name defaults to `'session_%port%'` but can also be customized, where `%port%` will be replaced with the port the api server is running on. + ### CORS config If you're using dbAuth and your api and web sides are deployed to different domains then you'll need to configure CORS for both GraphQL in general and dbAuth. You'll also need to enable a couple of options to be sure and send/accept credentials in XHR requests. For more info, see the complete [CORS doc](cors.md#cors-and-authentication). @@ -348,15 +353,19 @@ See [WebAuthn Configuration](#function-config) section below. By default, the session cookie will not have the `Domain` property set, which a browser will default to be the [current domain only](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#define_where_cookies_are_sent). If your site is spread across multiple domains (for example, your site is at `example.com` but your api-side is deployed to `api.example.com`) you'll need to explicitly set a Domain so that the cookie is accessible to both. -To do this, set the `cookie.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example: +To do this, set the `cookie.attibutes.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example: -```json title="api/src/functions/auth.js" +```js title="api/src/functions/auth.js" cookie: { - HttpOnly: true, - Path: '/', - SameSite: 'Strict', - Secure: process.env.NODE_ENV !== 'development' ? true : false, - Domain: 'example.com' + attributes: { + HttpOnly: true, + Path: '/', + SameSite: 'Strict', + Secure: process.env.NODE_ENV !== 'development' ? true : false, + // highlight-next-line + Domain: 'example.com' + }, + // name: 'session_%port%' } ``` diff --git a/docs/versioned_docs/version-8.3/auth/dbauth.md b/docs/versioned_docs/version-8.3/auth/dbauth.md index b4207909941c..de5fac9cbe21 100644 --- a/docs/versioned_docs/version-8.3/auth/dbauth.md +++ b/docs/versioned_docs/version-8.3/auth/dbauth.md @@ -314,16 +314,21 @@ By default no setting is required. This is because each db has its own rules for These options determine how the cookie that tracks whether the client is authorized is stored in the browser. The default configuration should work for most use cases. If you serve your web and api sides from different domains you'll need to make some changes: set `SameSite` to `None` and then add [CORS configuration](#cors-config). -```javascript +```js title="api/src/functions/auth.js" cookie: { - HttpOnly: true, - Path: '/', - SameSite: 'Strict', - Secure: true, - // Domain: 'example.com', + attributes: { + HttpOnly: true, + Path: '/', + SameSite: 'Strict', + Secure: true, + // Domain: 'example.com', + }, + // name: 'session_%port%' } ``` +As shown above the cookie name defaults to `'session_%port%'` but can also be customized, where `%port%` will be replaced with the port the api server is running on. + ### CORS config If you're using dbAuth and your api and web sides are deployed to different domains then you'll need to configure CORS for both GraphQL in general and dbAuth. You'll also need to enable a couple of options to be sure and send/accept credentials in XHR requests. For more info, see the complete [CORS doc](cors.md#cors-and-authentication). @@ -348,15 +353,19 @@ See [WebAuthn Configuration](#function-config) section below. By default, the session cookie will not have the `Domain` property set, which a browser will default to be the [current domain only](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#define_where_cookies_are_sent). If your site is spread across multiple domains (for example, your site is at `example.com` but your api-side is deployed to `api.example.com`) you'll need to explicitly set a Domain so that the cookie is accessible to both. -To do this, set the `cookie.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example: +To do this, set the `cookie.attibutes.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example: -```json title="api/src/functions/auth.js" +```js title="api/src/functions/auth.js" cookie: { - HttpOnly: true, - Path: '/', - SameSite: 'Strict', - Secure: process.env.NODE_ENV !== 'development' ? true : false, - Domain: 'example.com' + attributes: { + HttpOnly: true, + Path: '/', + SameSite: 'Strict', + Secure: process.env.NODE_ENV !== 'development' ? true : false, + // highlight-next-line + Domain: 'example.com' + }, + // name: 'session_%port%' } ``` diff --git a/docs/versioned_docs/version-8.4/auth/dbauth.md b/docs/versioned_docs/version-8.4/auth/dbauth.md index b4207909941c..de5fac9cbe21 100644 --- a/docs/versioned_docs/version-8.4/auth/dbauth.md +++ b/docs/versioned_docs/version-8.4/auth/dbauth.md @@ -314,16 +314,21 @@ By default no setting is required. This is because each db has its own rules for These options determine how the cookie that tracks whether the client is authorized is stored in the browser. The default configuration should work for most use cases. If you serve your web and api sides from different domains you'll need to make some changes: set `SameSite` to `None` and then add [CORS configuration](#cors-config). -```javascript +```js title="api/src/functions/auth.js" cookie: { - HttpOnly: true, - Path: '/', - SameSite: 'Strict', - Secure: true, - // Domain: 'example.com', + attributes: { + HttpOnly: true, + Path: '/', + SameSite: 'Strict', + Secure: true, + // Domain: 'example.com', + }, + // name: 'session_%port%' } ``` +As shown above the cookie name defaults to `'session_%port%'` but can also be customized, where `%port%` will be replaced with the port the api server is running on. + ### CORS config If you're using dbAuth and your api and web sides are deployed to different domains then you'll need to configure CORS for both GraphQL in general and dbAuth. You'll also need to enable a couple of options to be sure and send/accept credentials in XHR requests. For more info, see the complete [CORS doc](cors.md#cors-and-authentication). @@ -348,15 +353,19 @@ See [WebAuthn Configuration](#function-config) section below. By default, the session cookie will not have the `Domain` property set, which a browser will default to be the [current domain only](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#define_where_cookies_are_sent). If your site is spread across multiple domains (for example, your site is at `example.com` but your api-side is deployed to `api.example.com`) you'll need to explicitly set a Domain so that the cookie is accessible to both. -To do this, set the `cookie.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example: +To do this, set the `cookie.attibutes.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example: -```json title="api/src/functions/auth.js" +```js title="api/src/functions/auth.js" cookie: { - HttpOnly: true, - Path: '/', - SameSite: 'Strict', - Secure: process.env.NODE_ENV !== 'development' ? true : false, - Domain: 'example.com' + attributes: { + HttpOnly: true, + Path: '/', + SameSite: 'Strict', + Secure: process.env.NODE_ENV !== 'development' ? true : false, + // highlight-next-line + Domain: 'example.com' + }, + // name: 'session_%port%' } ``` From 957d655a56c5dcc1af1495ae3d365790ed273064 Mon Sep 17 00:00:00 2001 From: Philzen Date: Mon, 16 Dec 2024 16:30:22 +0100 Subject: [PATCH 08/10] Update function config section with new cookie config structure --- docs/docs/auth/dbauth.md | 10 ++++++---- docs/versioned_docs/version-6.x/auth/dbauth.md | 10 ++++++---- docs/versioned_docs/version-7.x/auth/dbauth.md | 10 ++++++---- docs/versioned_docs/version-8.0/auth/dbauth.md | 10 ++++++---- docs/versioned_docs/version-8.1/auth/dbauth.md | 10 ++++++---- docs/versioned_docs/version-8.2/auth/dbauth.md | 10 ++++++---- docs/versioned_docs/version-8.3/auth/dbauth.md | 10 ++++++---- docs/versioned_docs/version-8.4/auth/dbauth.md | 10 ++++++---- 8 files changed, 48 insertions(+), 32 deletions(-) diff --git a/docs/docs/auth/dbauth.md b/docs/docs/auth/dbauth.md index 99f57708a8fc..a1c62620f1ed 100644 --- a/docs/docs/auth/dbauth.md +++ b/docs/docs/auth/dbauth.md @@ -561,10 +561,12 @@ export const handler = async (event, context) => { }, cookie: { - HttpOnly: true, - Path: '/', - SameSite: 'Strict', - Secure: process.env.NODE_ENV !== 'development' ? true : false, + attributes: { + HttpOnly: true, + Path: '/', + SameSite: 'Strict', + Secure: process.env.NODE_ENV !== 'development' ? true : false, + } }, forgotPassword: forgotPasswordOptions, diff --git a/docs/versioned_docs/version-6.x/auth/dbauth.md b/docs/versioned_docs/version-6.x/auth/dbauth.md index e6425e91ff70..24c686f1d775 100644 --- a/docs/versioned_docs/version-6.x/auth/dbauth.md +++ b/docs/versioned_docs/version-6.x/auth/dbauth.md @@ -529,10 +529,12 @@ export const handler = async (event, context) => { }, cookie: { - HttpOnly: true, - Path: '/', - SameSite: 'Strict', - Secure: process.env.NODE_ENV !== 'development' ? true : false, + attributes: { + HttpOnly: true, + Path: '/', + SameSite: 'Strict', + Secure: process.env.NODE_ENV !== 'development' ? true : false, + } }, forgotPassword: forgotPasswordOptions, diff --git a/docs/versioned_docs/version-7.x/auth/dbauth.md b/docs/versioned_docs/version-7.x/auth/dbauth.md index 179036298b1a..2d99a45670cb 100644 --- a/docs/versioned_docs/version-7.x/auth/dbauth.md +++ b/docs/versioned_docs/version-7.x/auth/dbauth.md @@ -559,10 +559,12 @@ export const handler = async (event, context) => { }, cookie: { - HttpOnly: true, - Path: '/', - SameSite: 'Strict', - Secure: process.env.NODE_ENV !== 'development' ? true : false, + attributes: { + HttpOnly: true, + Path: '/', + SameSite: 'Strict', + Secure: process.env.NODE_ENV !== 'development' ? true : false, + } }, forgotPassword: forgotPasswordOptions, diff --git a/docs/versioned_docs/version-8.0/auth/dbauth.md b/docs/versioned_docs/version-8.0/auth/dbauth.md index de5fac9cbe21..c15cbd879863 100644 --- a/docs/versioned_docs/version-8.0/auth/dbauth.md +++ b/docs/versioned_docs/version-8.0/auth/dbauth.md @@ -561,10 +561,12 @@ export const handler = async (event, context) => { }, cookie: { - HttpOnly: true, - Path: '/', - SameSite: 'Strict', - Secure: process.env.NODE_ENV !== 'development' ? true : false, + attributes: { + HttpOnly: true, + Path: '/', + SameSite: 'Strict', + Secure: process.env.NODE_ENV !== 'development' ? true : false, + } }, forgotPassword: forgotPasswordOptions, diff --git a/docs/versioned_docs/version-8.1/auth/dbauth.md b/docs/versioned_docs/version-8.1/auth/dbauth.md index de5fac9cbe21..c15cbd879863 100644 --- a/docs/versioned_docs/version-8.1/auth/dbauth.md +++ b/docs/versioned_docs/version-8.1/auth/dbauth.md @@ -561,10 +561,12 @@ export const handler = async (event, context) => { }, cookie: { - HttpOnly: true, - Path: '/', - SameSite: 'Strict', - Secure: process.env.NODE_ENV !== 'development' ? true : false, + attributes: { + HttpOnly: true, + Path: '/', + SameSite: 'Strict', + Secure: process.env.NODE_ENV !== 'development' ? true : false, + } }, forgotPassword: forgotPasswordOptions, diff --git a/docs/versioned_docs/version-8.2/auth/dbauth.md b/docs/versioned_docs/version-8.2/auth/dbauth.md index de5fac9cbe21..c15cbd879863 100644 --- a/docs/versioned_docs/version-8.2/auth/dbauth.md +++ b/docs/versioned_docs/version-8.2/auth/dbauth.md @@ -561,10 +561,12 @@ export const handler = async (event, context) => { }, cookie: { - HttpOnly: true, - Path: '/', - SameSite: 'Strict', - Secure: process.env.NODE_ENV !== 'development' ? true : false, + attributes: { + HttpOnly: true, + Path: '/', + SameSite: 'Strict', + Secure: process.env.NODE_ENV !== 'development' ? true : false, + } }, forgotPassword: forgotPasswordOptions, diff --git a/docs/versioned_docs/version-8.3/auth/dbauth.md b/docs/versioned_docs/version-8.3/auth/dbauth.md index de5fac9cbe21..c15cbd879863 100644 --- a/docs/versioned_docs/version-8.3/auth/dbauth.md +++ b/docs/versioned_docs/version-8.3/auth/dbauth.md @@ -561,10 +561,12 @@ export const handler = async (event, context) => { }, cookie: { - HttpOnly: true, - Path: '/', - SameSite: 'Strict', - Secure: process.env.NODE_ENV !== 'development' ? true : false, + attributes: { + HttpOnly: true, + Path: '/', + SameSite: 'Strict', + Secure: process.env.NODE_ENV !== 'development' ? true : false, + } }, forgotPassword: forgotPasswordOptions, diff --git a/docs/versioned_docs/version-8.4/auth/dbauth.md b/docs/versioned_docs/version-8.4/auth/dbauth.md index de5fac9cbe21..c15cbd879863 100644 --- a/docs/versioned_docs/version-8.4/auth/dbauth.md +++ b/docs/versioned_docs/version-8.4/auth/dbauth.md @@ -561,10 +561,12 @@ export const handler = async (event, context) => { }, cookie: { - HttpOnly: true, - Path: '/', - SameSite: 'Strict', - Secure: process.env.NODE_ENV !== 'development' ? true : false, + attributes: { + HttpOnly: true, + Path: '/', + SameSite: 'Strict', + Secure: process.env.NODE_ENV !== 'development' ? true : false, + } }, forgotPassword: forgotPasswordOptions, From 78ff0d2cdbd50e5eabe92ae30173886e8f880490 Mon Sep 17 00:00:00 2001 From: Tobbe Lundberg Date: Mon, 16 Dec 2024 19:15:57 +0100 Subject: [PATCH 09/10] Apply suggestions from code review - attributes --- docs/docs/auth/dbauth.md | 2 +- docs/versioned_docs/version-6.x/auth/dbauth.md | 2 +- docs/versioned_docs/version-7.x/auth/dbauth.md | 2 +- docs/versioned_docs/version-8.0/auth/dbauth.md | 2 +- docs/versioned_docs/version-8.1/auth/dbauth.md | 2 +- docs/versioned_docs/version-8.2/auth/dbauth.md | 2 +- docs/versioned_docs/version-8.3/auth/dbauth.md | 2 +- docs/versioned_docs/version-8.4/auth/dbauth.md | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/docs/auth/dbauth.md b/docs/docs/auth/dbauth.md index a1c62620f1ed..18f1cbbdca00 100644 --- a/docs/docs/auth/dbauth.md +++ b/docs/docs/auth/dbauth.md @@ -353,7 +353,7 @@ See [WebAuthn Configuration](#function-config) section below. By default, the session cookie will not have the `Domain` property set, which a browser will default to be the [current domain only](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#define_where_cookies_are_sent). If your site is spread across multiple domains (for example, your site is at `example.com` but your api-side is deployed to `api.example.com`) you'll need to explicitly set a Domain so that the cookie is accessible to both. -To do this, set the `cookie.attibutes.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example: +To do this, set the `cookie.attributes.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example: ```js title="api/src/functions/auth.js" cookie: { diff --git a/docs/versioned_docs/version-6.x/auth/dbauth.md b/docs/versioned_docs/version-6.x/auth/dbauth.md index 24c686f1d775..63afe9b9ab93 100644 --- a/docs/versioned_docs/version-6.x/auth/dbauth.md +++ b/docs/versioned_docs/version-6.x/auth/dbauth.md @@ -322,7 +322,7 @@ See [WebAuthn Configuration](#function-config) section below. By default, the session cookie will not have the `Domain` property set, which a browser will default to be the [current domain only](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#define_where_cookies_are_sent). If your site is spread across multiple domains (for example, your site is at `example.com` but your api-side is deployed to `api.example.com`) you'll need to explicitly set a Domain so that the cookie is accessible to both. -To do this, set the `cookie.attibutes.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example: +To do this, set the `cookie.attributes.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example: ```js title="api/src/functions/auth.js" cookie: { diff --git a/docs/versioned_docs/version-7.x/auth/dbauth.md b/docs/versioned_docs/version-7.x/auth/dbauth.md index 2d99a45670cb..12a2cf2c22af 100644 --- a/docs/versioned_docs/version-7.x/auth/dbauth.md +++ b/docs/versioned_docs/version-7.x/auth/dbauth.md @@ -350,7 +350,7 @@ See [WebAuthn Configuration](#function-config) section below. By default, the session cookie will not have the `Domain` property set, which a browser will default to be the [current domain only](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#define_where_cookies_are_sent). If your site is spread across multiple domains (for example, your site is at `example.com` but your api-side is deployed to `api.example.com`) you'll need to explicitly set a Domain so that the cookie is accessible to both. -To do this, set the `cookie.attibutes.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example: +To do this, set the `cookie.attributes.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example: ```js title="api/src/functions/auth.js" cookie: { diff --git a/docs/versioned_docs/version-8.0/auth/dbauth.md b/docs/versioned_docs/version-8.0/auth/dbauth.md index c15cbd879863..d0234d5d10c6 100644 --- a/docs/versioned_docs/version-8.0/auth/dbauth.md +++ b/docs/versioned_docs/version-8.0/auth/dbauth.md @@ -353,7 +353,7 @@ See [WebAuthn Configuration](#function-config) section below. By default, the session cookie will not have the `Domain` property set, which a browser will default to be the [current domain only](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#define_where_cookies_are_sent). If your site is spread across multiple domains (for example, your site is at `example.com` but your api-side is deployed to `api.example.com`) you'll need to explicitly set a Domain so that the cookie is accessible to both. -To do this, set the `cookie.attibutes.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example: +To do this, set the `cookie.attributes.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example: ```js title="api/src/functions/auth.js" cookie: { diff --git a/docs/versioned_docs/version-8.1/auth/dbauth.md b/docs/versioned_docs/version-8.1/auth/dbauth.md index c15cbd879863..d0234d5d10c6 100644 --- a/docs/versioned_docs/version-8.1/auth/dbauth.md +++ b/docs/versioned_docs/version-8.1/auth/dbauth.md @@ -353,7 +353,7 @@ See [WebAuthn Configuration](#function-config) section below. By default, the session cookie will not have the `Domain` property set, which a browser will default to be the [current domain only](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#define_where_cookies_are_sent). If your site is spread across multiple domains (for example, your site is at `example.com` but your api-side is deployed to `api.example.com`) you'll need to explicitly set a Domain so that the cookie is accessible to both. -To do this, set the `cookie.attibutes.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example: +To do this, set the `cookie.attributes.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example: ```js title="api/src/functions/auth.js" cookie: { diff --git a/docs/versioned_docs/version-8.2/auth/dbauth.md b/docs/versioned_docs/version-8.2/auth/dbauth.md index c15cbd879863..d0234d5d10c6 100644 --- a/docs/versioned_docs/version-8.2/auth/dbauth.md +++ b/docs/versioned_docs/version-8.2/auth/dbauth.md @@ -353,7 +353,7 @@ See [WebAuthn Configuration](#function-config) section below. By default, the session cookie will not have the `Domain` property set, which a browser will default to be the [current domain only](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#define_where_cookies_are_sent). If your site is spread across multiple domains (for example, your site is at `example.com` but your api-side is deployed to `api.example.com`) you'll need to explicitly set a Domain so that the cookie is accessible to both. -To do this, set the `cookie.attibutes.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example: +To do this, set the `cookie.attributes.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example: ```js title="api/src/functions/auth.js" cookie: { diff --git a/docs/versioned_docs/version-8.3/auth/dbauth.md b/docs/versioned_docs/version-8.3/auth/dbauth.md index c15cbd879863..d0234d5d10c6 100644 --- a/docs/versioned_docs/version-8.3/auth/dbauth.md +++ b/docs/versioned_docs/version-8.3/auth/dbauth.md @@ -353,7 +353,7 @@ See [WebAuthn Configuration](#function-config) section below. By default, the session cookie will not have the `Domain` property set, which a browser will default to be the [current domain only](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#define_where_cookies_are_sent). If your site is spread across multiple domains (for example, your site is at `example.com` but your api-side is deployed to `api.example.com`) you'll need to explicitly set a Domain so that the cookie is accessible to both. -To do this, set the `cookie.attibutes.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example: +To do this, set the `cookie.attributes.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example: ```js title="api/src/functions/auth.js" cookie: { diff --git a/docs/versioned_docs/version-8.4/auth/dbauth.md b/docs/versioned_docs/version-8.4/auth/dbauth.md index c15cbd879863..d0234d5d10c6 100644 --- a/docs/versioned_docs/version-8.4/auth/dbauth.md +++ b/docs/versioned_docs/version-8.4/auth/dbauth.md @@ -353,7 +353,7 @@ See [WebAuthn Configuration](#function-config) section below. By default, the session cookie will not have the `Domain` property set, which a browser will default to be the [current domain only](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#define_where_cookies_are_sent). If your site is spread across multiple domains (for example, your site is at `example.com` but your api-side is deployed to `api.example.com`) you'll need to explicitly set a Domain so that the cookie is accessible to both. -To do this, set the `cookie.attibutes.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example: +To do this, set the `cookie.attributes.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example: ```js title="api/src/functions/auth.js" cookie: { From ef1835c69eb669ab9f447084a3ba0f5943dd415b Mon Sep 17 00:00:00 2001 From: Tobbe Lundberg Date: Tue, 17 Dec 2024 00:21:20 +0100 Subject: [PATCH 10/10] formatting --- docs/docs/auth/dbauth.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/docs/auth/dbauth.md b/docs/docs/auth/dbauth.md index 18f1cbbdca00..357c19da8c3d 100644 --- a/docs/docs/auth/dbauth.md +++ b/docs/docs/auth/dbauth.md @@ -323,7 +323,7 @@ cookie: { Secure: true, // Domain: 'example.com', }, - // name: 'session_%port%' + // name: 'session_%port%', } ``` @@ -566,7 +566,7 @@ export const handler = async (event, context) => { Path: '/', SameSite: 'Strict', Secure: process.env.NODE_ENV !== 'development' ? true : false, - } + }, }, forgotPassword: forgotPasswordOptions,