Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[docs] Reflect new structure of cookie config object since RW 6.4 #11781

Merged
merged 11 commits into from
Dec 16, 2024
31 changes: 20 additions & 11 deletions docs/docs/auth/dbauth.md
Original file line number Diff line number Diff line change
Expand Up @@ -316,14 +316,19 @@ These options determine how the cookie that tracks whether the client is authori

```javascript
cookie: {
HttpOnly: true,
Path: '/',
SameSite: 'Strict',
Secure: true,
// Domain: 'example.com',
attributes: {
HttpOnly: true,
Path: '/',
SameSite: 'Strict',
Secure: true,
// Domain: 'example.com',
},
// name: 'session_%port%'
}
```

As shown above the cookie name defaults to `'session_%port%'` but can also be customized, where `%port% will be replaced with the port the api server is running on.
Tobbe marked this conversation as resolved.
Show resolved Hide resolved

### CORS config

If you're using dbAuth and your api and web sides are deployed to different domains then you'll need to configure CORS for both GraphQL in general and dbAuth. You'll also need to enable a couple of options to be sure and send/accept credentials in XHR requests. For more info, see the complete [CORS doc](cors.md#cors-and-authentication).
Expand All @@ -348,15 +353,19 @@ See [WebAuthn Configuration](#function-config) section below.

By default, the session cookie will not have the `Domain` property set, which a browser will default to be the [current domain only](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#define_where_cookies_are_sent). If your site is spread across multiple domains (for example, your site is at `example.com` but your api-side is deployed to `api.example.com`) you'll need to explicitly set a Domain so that the cookie is accessible to both.

To do this, set the `cookie.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example:
To do this, set the `cookie.attibutes.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example:
Tobbe marked this conversation as resolved.
Show resolved Hide resolved

```json title="api/src/functions/auth.js"
cookie: {
HttpOnly: true,
Path: '/',
SameSite: 'Strict',
Secure: process.env.NODE_ENV !== 'development' ? true : false,
Domain: 'example.com'
attributes: {
HttpOnly: true,
Path: '/',
SameSite: 'Strict',
Secure: process.env.NODE_ENV !== 'development' ? true : false,
// highlight-next-line
Domain: 'example.com'
Philzen marked this conversation as resolved.
Show resolved Hide resolved
},
// name: 'session_%port%'
}
```

Expand Down
Loading