From 044d040c33c1cf7eda6071f7ad8fd8d3212b196a Mon Sep 17 00:00:00 2001 From: Ben McCann <322311+benmccann@users.noreply.github.com> Date: Wed, 14 May 2025 08:00:54 -0700 Subject: [PATCH 1/3] use more appropriate SvelteKit APIs --- src/lib/server/session.ts | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/src/lib/server/session.ts b/src/lib/server/session.ts index 7b8c02a..de2514a 100644 --- a/src/lib/server/session.ts +++ b/src/lib/server/session.ts @@ -1,4 +1,5 @@ import { db } from "./db"; +import { dev } from "$app/environment"; import { encodeBase32, encodeHexLowerCase } from "@oslojs/encoding"; import { sha256 } from "@oslojs/crypto/sha2"; @@ -55,20 +56,16 @@ export function invalidateUserSessions(userId: number): void { export function setSessionTokenCookie(event: RequestEvent, token: string, expiresAt: Date): void { event.cookies.set("session", token, { - httpOnly: true, path: "/", - secure: import.meta.env.PROD, - sameSite: "lax", + secure: !dev || event.url.protocol === "https", expires: expiresAt }); } export function deleteSessionTokenCookie(event: RequestEvent): void { event.cookies.set("session", "", { - httpOnly: true, path: "/", - secure: import.meta.env.PROD, - sameSite: "lax", + secure: !dev || event.url.protocol === "https", maxAge: 0 }); } From 68331c6c7c542e820cede014bf53587de9a7cad0 Mon Sep 17 00:00:00 2001 From: Ben McCann <322311+benmccann@users.noreply.github.com> Date: Wed, 14 May 2025 08:02:53 -0700 Subject: [PATCH 2/3] Update +server.ts --- src/routes/login/google/+server.ts | 21 +++++++-------------- 1 file changed, 7 insertions(+), 14 deletions(-) diff --git a/src/routes/login/google/+server.ts b/src/routes/login/google/+server.ts index 19980fb..2ea15de 100644 --- a/src/routes/login/google/+server.ts +++ b/src/routes/login/google/+server.ts @@ -1,4 +1,6 @@ +import { dev } from "$app/environment"; import { google } from "$lib/server/oauth"; +import { redirect } from "@sveltejs/kit"; import { generateCodeVerifier, generateState } from "arctic"; import type { RequestEvent } from "./$types"; @@ -9,24 +11,15 @@ export function GET(event: RequestEvent): Response { const url = google.createAuthorizationURL(state, codeVerifier, ["openid", "profile", "email"]); event.cookies.set("google_oauth_state", state, { - httpOnly: true, maxAge: 60 * 10, - secure: import.meta.env.PROD, - path: "/", - sameSite: "lax" + secure: !dev || event.url.protocol === "https", + path: "/" }); event.cookies.set("google_code_verifier", codeVerifier, { - httpOnly: true, maxAge: 60 * 10, - secure: import.meta.env.PROD, - path: "/", - sameSite: "lax" + secure: !dev || event.url.protocol === "https", + path: "/" }); - return new Response(null, { - status: 302, - headers: { - Location: url.toString() - } - }); + redirect(307, url.toString()); } From 62a47d5dedcbff1283bcedc4c2e35e9886047f3f Mon Sep 17 00:00:00 2001 From: Ben McCann <322311+benmccann@users.noreply.github.com> Date: Wed, 14 May 2025 08:04:12 -0700 Subject: [PATCH 3/3] Update +server.ts --- src/routes/login/google/callback/+server.ts | 27 +++++++-------------- 1 file changed, 9 insertions(+), 18 deletions(-) diff --git a/src/routes/login/google/callback/+server.ts b/src/routes/login/google/callback/+server.ts index ddabde9..6bb494b 100644 --- a/src/routes/login/google/callback/+server.ts +++ b/src/routes/login/google/callback/+server.ts @@ -1,5 +1,6 @@ import { google } from "$lib/server/oauth"; import { ObjectParser } from "@pilcrowjs/object-parser"; +import { error, redirect } from "@sveltejs/kit"; import { createUser, getUserFromGoogleId } from "$lib/server/user"; import { createSession, generateSessionToken, setSessionTokenCookie } from "$lib/server/session"; import { decodeIdToken } from "arctic"; @@ -14,13 +15,13 @@ export async function GET(event: RequestEvent): Promise { const state = event.url.searchParams.get("state"); if (storedState === null || codeVerifier === null || code === null || state === null) { - return new Response("Please restart the process.", { - status: 400 + error(400, { + message: "Please restart the process." }); } if (storedState !== state) { - return new Response("Please restart the process.", { - status: 400 + error(400, { + message: "Please restart the process." }); } @@ -28,8 +29,8 @@ export async function GET(event: RequestEvent): Promise { try { tokens = await google.validateAuthorizationCode(code, codeVerifier); } catch (e) { - return new Response("Please restart the process.", { - status: 400 + error(400, { + message: "Please restart the process." }); } @@ -46,22 +47,12 @@ export async function GET(event: RequestEvent): Promise { const sessionToken = generateSessionToken(); const session = createSession(sessionToken, existingUser.id); setSessionTokenCookie(event, sessionToken, session.expiresAt); - return new Response(null, { - status: 302, - headers: { - Location: "/" - } - }); + redirect(307, "/"); } const user = createUser(googleId, email, name, picture); const sessionToken = generateSessionToken(); const session = createSession(sessionToken, user.id); setSessionTokenCookie(event, sessionToken, session.expiresAt); - return new Response(null, { - status: 302, - headers: { - Location: "/" - } - }); + redirect(307, "/"); }