frontegg · TomerFrontegg · Sep 10, 2024
@@ -8,7 +8,7 @@ import { NextResponse } from 'next/server';
 import config from '../config';
 import JwtManager from '../utils/jwt';
 import encryptionUtils from '../utils/encryption-edge';
-import Cookies from '../utils/cookies';
+import { extractSameSiteFromRefreshTokenCookie } from '../utils/refreshAccessTokenIfNeeded/helpers';
 
 async function createSessionFromAccessTokenEdge(data: any): Promise<[string, any, string] | []> {
   const accessToken = data.accessToken ?? data.access_token;
@@ -57,7 +57,9 @@ export const handleHostedLoginCallback = async (
     value: session,
     expires: new Date(decodedJwt.exp * 1000),
     secure: isSecured,
+    sameSite: extractSameSiteFromRefreshTokenCookie(response.headers.get('set-cookie')?.split(',') ?? []),
   });
+
   const refreshCookie = CookieManager.create({
     cookieName: `fe_refresh_${config.clientId.replace('-', '')}`,
     value: refreshToken ?? '',

@@ -12,7 +12,7 @@ import {
   removeJwtSignatureFrom,
 } from './helpers';
 import fronteggLogger from '../utils/fronteggLogger';
-import { isSSOPostRequest } from '../utils/refreshAccessTokenIfNeeded/helpers';
+import { extractSameSiteFromRefreshTokenCookie, isSSOPostRequest } from '../utils/refreshAccessTokenIfNeeded/helpers';
 
 const logger = fronteggLogger.child({ tag: 'FronteggApiMiddleware.ProxyResponseCallback' });
 /**
@@ -74,6 +74,7 @@ const ProxyResponseCallback: ProxyResCallback<IncomingMessage, NextApiResponse>
                   expires: new Date(decodedJwt.exp * 1000),
                   secure: isSecured,
                   req,
+                  sameSite: extractSameSiteFromRefreshTokenCookie(cookies),
                 });
                 cookies.push(...sessionCookie);
               }

@@ -66,6 +66,10 @@ class CookieManager {
       serializeOptions.sameSite = 'none';
     }
 
+    if (options.sameSite) {
+      serializeOptions.sameSite = options.sameSite;
+    }
+
     const serializedCookie = cookieSerializer.serialize(cookieName, cookieValue, serializeOptions);
 
     let newCookies: string[] = [];

@@ -3,7 +3,7 @@ import { IncomingMessage, ServerResponse } from 'http';
 export type RequestType = IncomingMessage | Request;
 export type ResponseType = ServerResponse;
 
-export interface CreateCookieOptions extends Pick<CookieSerializeOptions, 'domain' | 'httpOnly' | 'path'> {
+export interface CreateCookieOptions extends Pick<CookieSerializeOptions, 'domain' | 'httpOnly' | 'path' | 'sameSite'> {
   cookieName?: string;
   value: string;
   secure: boolean;

@@ -5,6 +5,7 @@ import api from '../../api';
 import { getTokensFromCookie } from '../../common';
 import { IncomingMessage } from 'http';
 import config from '../../config';
+import { CookieSerializeOptions } from '../cookies/types';
 
 export function hasRefreshTokenCookie(cookies: Record<string, any>): boolean {
   const logger = fronteggLogger.child({ tag: 'refreshToken.hasRefreshTokenCookie' });
@@ -95,3 +96,17 @@ export function isSamlCallback(url: string): boolean {
 export function isSSOPostRequest(url: string): boolean {
   return url === '/frontegg/auth/saml/callback' || url === '/frontegg/auth/oidc/callback';
 }
+
+export function extractSameSiteFromRefreshTokenCookie(cookies: string[]): CookieSerializeOptions['sameSite'] | undefined {
+  const refreshTokenKey = CookieManager.refreshTokenKey;
+  const refreshTokenCookie = cookies.find((cookie) => {
+    return cookie.replace(/-/g, '') === refreshTokenKey;
+  });
+
+  if (!refreshTokenCookie) {
+    return undefined;
+  }
+
+  const sameSite = refreshTokenCookie.split(';').find((c: string) => c.trim().toLowerCase().startsWith('samesite'));
+  return sameSite?.split('=')[1]?.trim() as CookieSerializeOptions['sameSite'];
+}
@@ -4,6 +4,7 @@ import { createSessionFromAccessToken } from '../../common';
 import config from '../../config';
 import CookieManager from '../cookies';
 import {
+  extractSameSiteFromRefreshTokenCookie,
   isOauthCallback,
   isRuntimeNextRequest,
   isSamlCallback,
@@ -89,6 +90,7 @@ export default async function refreshAccessTokenIfNeeded(ctx: NextPageContext):
       expires: new Date(decodedJwt.exp * 1000),
       secure: isSecured,
       req: nextJsRequest,
+      sameSite: extractSameSiteFromRefreshTokenCookie(newSetCookie),
     });
     newSetCookie.push(...cookieValue);
     ctx.res?.setHeader('set-cookie', newSetCookie);