Cookie from a different source

Question

Given the following resolver for a mutation:

    async signin(parent, { name, password }, ctx, info) {
    // Check if there is a user with the name
    const user = await ctx.db.query.user({
        where: { name }
    })
    if (!user) {
        throw new Error('Name not found');
    }

    // Check if the password is correct
    const valid = await bcrypt.compare(password, user.password);
    if (!valid) {
        throw new Error('Invalid password');
    }

    // Genereate the JWT
    const token = jwt.sign({ userId: user.id }, process.env.APP_SECRET);

    // Set the cookie with the token
    ctx.response.cookie('token', token, {
        httpOnly: true,
        // secure: ...,
        // sameSite: ...,
        maxAge: 1000 * 60 * 60 * 24 * 365
    });

    return user;
}

When the code is like this, I get the following warning:

A cookie associated with a cross-site resource at http://timetable-yoga-pd.herokuapp.com/ was set without the SameSite attribute. It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

Backstory: the frontend part is a React app, that is hosted on timetable-react-pd.herokuapp.com. The backend part is a node app, hosted on timetable-yoga-pd.herokuapp.com.

Now, when I set the secure to true, as asked in the warning, the cookie header is not set. I have found on the internet, that this is normal.

When I set sameSite to false, it acts as if it were not there (expected behaviour). If sameSite is set to "none" or "None", the warning disappears, but a new error emerges, saying that GraphQL does not accept the value "none".

Have you tried to set cookie's domain to the top level domain of the two, the herokuapp.com? — Wiktor Zychla, Dec 07 '19 at 10:24
I tried it. It does not give any errors or warnings, but it still does not set the cookie. — Miki Nyeste, Dec 07 '19 at 10:35
What libraries, clients, or frameworks are you using here? The `SameSite=None` value is relatively new and I've noticed that a few locations validate the parameters to only accept the older `Strict` and `Lax` values. If I know what you're using, I may be able to go update them to support `None`. — rowan_m, Dec 07 '19 at 23:37
I believe GraphQL does not accept it. I found that Express 4.17 accepts "none". And when I set it so, chrome stops sending the warning, but there is then a new error from GraphQL, that it doesn't recognize "none". — Miki Nyeste, Dec 09 '19 at 22:58
Can you post the exact error you're getting when it says that it does not accept "None"? Specifically, line numbers and file names. I don't see anything in the GraphQL code regarding the `SameSite` attribute, so this feels like it's some other dependency. — rowan_m, Dec 14 '19 at 00:37
Uncaught (in promise) Error: GraphQL error: option sameSite is invalid at new ApolloError (ApolloError.js:37) at Object.next (QueryManager.js:186) at notifySubscription (Observable.js:126) at onNotify (Observable.js:161) at SubscriptionObserver.next (Observable.js:215) at Object.next (index.js:41) at notifySubscription (Observable.js:126) — Miki Nyeste, Dec 14 '19 at 13:56
at onNotify (Observable.js:161) at SubscriptionObserver.next (Observable.js:215) at notifySubscription (Observable.js:126) at onNotify (Observable.js:161) at SubscriptionObserver.next (Observable.js:215) at httpLink.js:95 — Miki Nyeste, Dec 14 '19 at 13:56

Cookie from a different source

0 Answers0