diff --git a/@connect-shared/lib/session/config.ts b/@connect-shared/lib/session/config.ts index e4296d820a..b8e92b8291 100644 --- a/@connect-shared/lib/session/config.ts +++ b/@connect-shared/lib/session/config.ts @@ -8,5 +8,6 @@ export type SessionData = { export function getIronOptions() { const cookieName = process.env.AUTH_COOKIE || getIronOptionsRoot().cookieName; - return { ...getIronOptionsRoot(), cookieName }; + // "LAX" allows us to redirect users to the app from other websites/emails while they are logged in + return { ...getIronOptionsRoot({ sameSite: 'lax' }), cookieName }; } diff --git a/apps/scoutgame/app/api/login-dev/route.ts b/apps/scoutgame/app/api/login-dev/route.ts index 84cc0864c8..a73579ce3e 100644 --- a/apps/scoutgame/app/api/login-dev/route.ts +++ b/apps/scoutgame/app/api/login-dev/route.ts @@ -32,7 +32,7 @@ export async function GET(request: Request) { const cookieName = process.env.AUTH_COOKIE || getIronOptions().cookieName; - response.headers.set('Set-Cookie', `${cookieName}=${sealedSession}; HttpOnly; Secure; SameSite=Strict; Path=/`); + response.headers.set('Set-Cookie', `${cookieName}=${sealedSession}; HttpOnly; Secure; SameSite=Lax; Path=/`); return response; } diff --git a/apps/scoutgame/app/api/session/refresh/route.ts b/apps/scoutgame/app/api/session/refresh/route.ts index 696641f683..479a39cc20 100644 --- a/apps/scoutgame/app/api/session/refresh/route.ts +++ b/apps/scoutgame/app/api/session/refresh/route.ts @@ -7,6 +7,10 @@ import type { NextRequest } from 'next/server'; // This API Route is non-blocking and called on every page load. Use it to refresh things about the current user export async function GET(req: NextRequest) { const session = await getSession(); + + // save session to update the LAX cookie + await session.save(); + const userId = session.scoutId; if (userId) { const scout = await prisma.scout.findUnique({ diff --git a/apps/scoutgame/components/login/LoginPage.tsx b/apps/scoutgame/components/login/LoginPage.tsx index 6ce061e409..eb90e9359d 100644 --- a/apps/scoutgame/components/login/LoginPage.tsx +++ b/apps/scoutgame/components/login/LoginPage.tsx @@ -1,13 +1,33 @@ +'use client'; + +import { log } from '@charmverse/core/log'; import { Box, Typography } from '@mui/material'; import Image from 'next/image'; +import { useRouter } from 'next/navigation'; +import { createContext, useEffect, useContext, useMemo, useState } from 'react'; import { SinglePageLayout } from 'components/common/Layout'; import { WarpcastLogin } from 'components/common/WarpcastLogin/WarpcastLogin'; import { InfoBackgroundImage } from 'components/layout/InfoBackgroundImage'; +import { useGetUserTrigger } from 'hooks/api/session'; import { LaunchDate } from './LaunchDate'; export function LoginPage() { + const { trigger: triggerReload } = useGetUserTrigger(); + const router = useRouter(); + // HACK: Remove this after we change session cookies to LAX + useEffect(() => { + async function loadUser() { + const updated = await triggerReload(); + if (updated) { + log.info('Redirect user to profile from login page', { userId: updated.id }); + router.push('/profile?tab=win'); + } + } + loadUser(); + }, []); + return ( <> diff --git a/lib/session/getIronOptions.ts b/lib/session/getIronOptions.ts index 4b090280a4..adbc0b61e7 100644 --- a/lib/session/getIronOptions.ts +++ b/lib/session/getIronOptions.ts @@ -3,7 +3,10 @@ import type { SessionOptions } from 'iron-session'; // import the "optional" auth secret here so it doesnt throw an error at build time -export function getIronOptions({ domain }: { domain?: string } = {}): SessionOptions { +export function getIronOptions({ + domain, + sameSite = 'strict' +}: { domain?: string; sameSite?: 'lax' | 'strict' } = {}): SessionOptions { if (!authSecret) { throw new Error('AUTH_SECRET is not defined'); } @@ -11,7 +14,7 @@ export function getIronOptions({ domain }: { domain?: string } = {}): SessionOpt cookieName, password: authSecret, cookieOptions: { - sameSite: 'strict' as const, + sameSite, domain, // secure: true should be used in production (HTTPS) but can't be used in development (HTTP) secure: typeof baseUrl === 'string' && baseUrl.includes('https')