From 22732e33e546f6893574393326944ce64b7d86e8 Mon Sep 17 00:00:00 2001
From: Meier Lukas <meierschlumpf@gmail.com>
Date: Fri, 1 Nov 2024 10:03:45 +0100
Subject: [PATCH] fix: credentials login behind proxy no longer works (#2177)

---
 src/server/auth.ts        | 13 ++------
 src/utils/auth/cookies.ts | 66 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 68 insertions(+), 11 deletions(-)
 create mode 100644 src/utils/auth/cookies.ts

diff --git a/src/server/auth.ts b/src/server/auth.ts
index 9b7e19a93..bea84ec2a 100644
--- a/src/server/auth.ts
+++ b/src/server/auth.ts
@@ -7,6 +7,7 @@ import { decode, encode } from 'next-auth/jwt';
 import { env } from '~/env';
 import { secondsFromTimeString } from '~/tools/client/parseDuration';
 import { adapter, getProviders, onCreateUser } from '~/utils/auth';
+import { createCookiesWithDefaultOptions } from '~/utils/auth/cookies';
 import { createRedirectUri } from '~/utils/auth/oidc';
 import EmptyNextAuthProvider from '~/utils/empty-provider';
 import { fromDate, generateSessionToken } from '~/utils/session';
@@ -106,17 +107,7 @@ export const constructAuthOptions = async (
   },
   adapter: adapter as Adapter,
   providers: [...(await getProviders(req.headers)), EmptyNextAuthProvider()],
-  cookies: {
-    sessionToken: {
-      name: 'next-auth.session-token',
-      options: {
-        httpOnly: true,
-        sameSite: 'lax',
-        path: '/',
-        secure: true,
-      },
-    },
-  },
+  cookies: createCookiesWithDefaultOptions(req.url?.startsWith('https:') ?? false),
   jwt: {
     async encode(params) {
       if (!isCredentialsRequest(req)) {
diff --git a/src/utils/auth/cookies.ts b/src/utils/auth/cookies.ts
new file mode 100644
index 000000000..8ccaea01e
--- /dev/null
+++ b/src/utils/auth/cookies.ts
@@ -0,0 +1,66 @@
+export const createCookiesWithDefaultOptions = (useSecureCookies: boolean) => {
+  const cookiePrefix = useSecureCookies ? '__Secure-' : '';
+
+  return {
+    // default cookie options
+    sessionToken: {
+      // We don't use __Secure prefix as the cookie is used in the code
+      name: `next-auth.session-token`,
+      options: {
+        httpOnly: true,
+        sameSite: 'lax',
+        path: '/',
+        secure: useSecureCookies,
+      },
+    },
+    callbackUrl: {
+      name: `${cookiePrefix}next-auth.callback-url`,
+      options: {
+        httpOnly: true,
+        sameSite: 'lax',
+        path: '/',
+        secure: useSecureCookies,
+      },
+    },
+    csrfToken: {
+      // Default to __Host- for CSRF token for additional protection if using useSecureCookies
+      // NB: The `__Host-` prefix is stricter than the `__Secure-` prefix.
+      name: `${useSecureCookies ? '__Host-' : ''}next-auth.csrf-token`,
+      options: {
+        httpOnly: true,
+        sameSite: 'lax',
+        path: '/',
+        secure: useSecureCookies,
+      },
+    },
+    pkceCodeVerifier: {
+      name: `${cookiePrefix}next-auth.pkce.code_verifier`,
+      options: {
+        httpOnly: true,
+        sameSite: 'lax',
+        path: '/',
+        secure: useSecureCookies,
+        maxAge: 60 * 15, // 15 minutes in seconds
+      },
+    },
+    state: {
+      name: `${cookiePrefix}next-auth.state`,
+      options: {
+        httpOnly: true,
+        sameSite: 'lax',
+        path: '/',
+        secure: useSecureCookies,
+        maxAge: 60 * 15, // 15 minutes in seconds
+      },
+    },
+    nonce: {
+      name: `${cookiePrefix}next-auth.nonce`,
+      options: {
+        httpOnly: true,
+        sameSite: 'lax',
+        path: '/',
+        secure: useSecureCookies,
+      },
+    },
+  } as const;
+};