fix(dbauth-mw): Unset cookie instead of clearing (#10502)

redwoodjs · Apr 26, 2024 · 5db6c18 · 5db6c18
1 parent 9d482be
commit 5db6c18
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 3 deletions.
diff --git a/.changesets/10502.md b/.changesets/10502.md
@@ -0,0 +1,2 @@
+- fix(dbauth-mw): Unset cookie instead of clearing (#10502) by @dac09
+Updates dbAuth middleware implementation to _unset_ the cookies, instead of clearing them.
diff --git a/packages/auth-providers/dbAuth/middleware/src/__tests__/createDbAuthMiddleware.test.ts b/packages/auth-providers/dbAuth/middleware/src/__tests__/createDbAuthMiddleware.test.ts
@@ -522,6 +522,12 @@ describe('createDbAuthMiddleware()', () => {
 
       const serverAuthContext = req.serverAuthContext.get()
       expect(serverAuthContext).toBeNull()
+
+      expect(res.toResponse().headers.getSetCookie()).toEqual([
+        // Expired cookies, will be removed by browser
+        'session_8911=; Expires=Thu, 01 Jan 1970 00:00:00 GMT',
+        'auth-provider=; Expires=Thu, 01 Jan 1970 00:00:00 GMT',
+      ])
     })
     it('handles a GET request with no cookies', async () => {
       const request = new Request('http://localhost:8911/functions/no-cookie', {

diff --git a/packages/auth-providers/dbAuth/middleware/src/index.ts b/packages/auth-providers/dbAuth/middleware/src/index.ts
@@ -101,9 +101,10 @@ export const createDbAuthMiddleware = ({
       console.error(e, 'Error decrypting dbAuth cookie')
       req.serverAuthContext.set(null)
 
-      // Clear the cookies, because decryption was invalid
-      res.cookies.clear(cookieNameCreator(cookieName))
-      res.cookies.clear('auth-provider')
+      // Note we have to use ".unset" and not ".clear"
+      // because we want to remove these cookies from the browser
+      res.cookies.unset(cookieNameCreator(cookieName))
+      res.cookies.unset('auth-provider')
     }
 
     return res