Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Add cookie authentication #45

Open
wants to merge 3 commits into
base: main
Choose a base branch
from

Conversation

gabrielmachin
Copy link
Collaborator

NOTION Ticket

Type of change

  • Fix
  • Story
  • Chore

Comment on lines 43 to 44
if (JWTEnabled) return authReturn;
return null;
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't we still return something when using cookie auth?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should return and serialize the user right?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we delete the JWTEnabled and cookieEnabled, as discussed previously with @mlvieras, should we always return the authReturn alongside the serialized user?

Comment on lines 12 to 17
export const cookieConfig = {
signed: true,
httpOnly: true,
maxAge: config.cookieExpirationSeconds * SECONDS_TO_MILLISECONDS,
secure: isProduction,
} as CookieOptions;
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a reason we're not using the CookieOptions type explicitly here?

Suggested change
export const cookieConfig = {
signed: true,
httpOnly: true,
maxAge: config.cookieExpirationSeconds * SECONDS_TO_MILLISECONDS,
secure: isProduction,
} as CookieOptions;
export const cookieConfig : CookieOptions = {
signed: true,
httpOnly: true,
maxAge: config.cookieExpirationSeconds * SECONDS_TO_MILLISECONDS,
secure: isProduction,
};

secure: isProduction,
} as CookieOptions;

export const verifyCookie = async (signedCookies: any) => {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is signedCookies of any type?

Comment on lines 43 to 44
if (JWTEnabled) return authReturn;
return null;
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should return and serialize the user right?

@gabrielmachin gabrielmachin force-pushed the feat/Add-cookies-implementation branch from 558197f to 875eddf Compare January 16, 2024 18:02
const { sessionId, ...authReturn } = await AuthService.register(user);

const { res } = req;
res?.cookie(COOKIE_NAME, sessionId, cookieConfig);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't this only be done if the authentication scheme is cookies?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we want to differentiate between cases for settings and clearing cookies, I'd rather have different endpoints for cookies and tokens than having the user tell me what method it's using, what do you think about it?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't you know what method the client is using? Meaning there is either a token or a cookie.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the case of a register or login endpoint we don't know what method will be used, in other cases we might me able to deduce it based on the authentication method, but in this case we don't know , maybe I'm overlooking something. @chaba11 do you have any idea regarding this?

@Security('jwt')
public async logout(@Request() req: AuthenticatedRequest): Promise<void> {
await AuthService.logout(req.user.token);
const { res } = req;
res?.clearCookie(COOKIE_NAME);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same comment

await UserService.destroy(id);
if (user.id === id) res?.clearCookie(COOKIE_NAME);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this line is needed. You might want to destroy all sessions of the user though.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants