Add a new config option for cookie name

[husseyexplores]

Overview/summary

This library uses fixed/static cookie names (defined as STATE_COOKIE_NAME) to validate state (nonce).
The same goes session cookie name - but let's stick to the state (nonce) cookie for now.

When deploying to Firebase, cookie state validation fails.
The reason is that Firebase strips every cookie name, but only the __session cookie is allowed to pass through. (Reference)

Proposed solution

Add a config option named stateCookieName, which will be used instead of the default state cookie name

Note

The suggested solution will work for embedded apps only as it requires only one cookie (state cookie) for validating nonce.
Sessions are handled via JWT.

For non-embedded apps, it requires a separate cookie for the session as well. So not sure if it will work in the Firebase context.

While we're at it, we can just expose both cookie names (SESSION_COOKIE_NAME and STATE_COOKIE_NAME) to be configurable.

[husseyexplores]

Some more findings:

The previously proposed solution will not work as is - because it uses signed cookies.
Signing creates an additional cookie {cookieName}.sig. And in the Firebase context, __session.sig will still be stripped out. (I did a test run..)

• We can either simply expose another option to disable cookie signing, just like cookie-session package.
  That'll solve it for embedded apps.

---

• The complex solution would be to use a unified cookie (one cookie to rule them all!).
  We store all the data (session id, nonce state, etc) in one cookie.
  Like this (hypothetical code):

app.get('/auth/login', (req, res) => {
  const sessionData = {
    // sessionId: '123456789',
    nonce: 'abcdefg',
    // other properties...
  };

  const serializedData = JSON.stringify(sessionData);
  const mac = generateMAC(serializedData);

  // Set the cookie with the MAC
  res.cookie('__session', serializedData + ':' + mac);
})

And verify like this (hypothetical code):

app.get('/auth/callback', (req, res) => {
  const cookieValue = req.cookies.__session;

  // Extract the serialized data and MAC
  const separatorIndex = cookieValue.lastIndexOf(':');
  const serializedData = cookieValue.slice(0, separatorIndex);
  const storedMAC = cookieValue.slice(separatorIndex + 1);

  // Verify the MAC
  const computedMAC = generateMAC(serializedData);

  if (computedMAC === storedMAC) {
    // MAC is valid
    const sessionData = JSON.parse(serializedData);

    // Access the values
    const sessionId = sessionData.sessionId;
    const nonce = sessionData.nonce;
    // other properties...

    // Perform necessary operations with the session data

    res.send('Example endpoint');
  } else {
    // MAC is invalid
    res.status(401).send('Invalid MAC');
  }
});

---

More context in next-firebase-auth package:
gladly-team/next-firebase-auth#190

I'm not using this package. Only added it for reference since it's a problem many packages have.

[github-actions]

This issue is stale because it has been open for 90 days with no activity. It will be closed if no further action occurs in 14 days.

[github-actions]

We are closing this issue because it has been inactive for a few months.
This probably means that it is not reproducible or it has been fixed in a newer version.
If it’s an enhancement and hasn’t been taken on since it was submitted, then it seems other issues have taken priority.

If you still encounter this issue with the latest stable version, please reopen using the issue template. You can also contribute directly by submitting a pull request– see the CONTRIBUTING.md file for guidelines

Thank you!