adonisjs/auth

adonis-session not saved on redirect

Closed this issue · 2 comments

TheoA816 commented

I am using google oauth and auth web guard for my login. Below is the end of my login function, after checking the google login.

await auth.use('web').login(user);
return response.redirect(${Env.get('FRONTEND_DOMAIN')});

In localhost everything works fine, auth user gets initialised and on subsequent route calls the user is still logged in. However after deploying (using render.com), I find auth.user is intialised is saved before the return above. But after redirecting to the frontend, subsequent backend calls show that auth is not initialised. I changed nothing besides the localhost -> production links

The biggest difference I see is in localhost, the adonis-session cookie is passed along with the request
Screen Shot 2023-04-30 at 02 03 48
but not in production
Screen Shot 2023-04-30 at 02 07 23

i've tried changing config/session.ts (sameSite: false, explicit domain name etc) but nothing works

  cookie: {
    domain: '.onrender.com',
    path: '/',
    httpOnly: true,
    secure: true,
    sameSite: 'none',
  },

I assume the problem has to do with some cookie and domain name related issue but I'm clueless and have gone a whole day on this with no avail. Any help is appreciated

Just for some extra info my login flow is

  • user calls /login - gets google redirect url
  • from the frontend navigates to url
  • log in with google
  • /google-callback (i changed the route from google/callback in the config) checks for errors
  • log in with web guard as above
  • redirects to fe home page

and my google config is as

const allyConfig: AllyConfig = {
	/*
	|--------------------------------------------------------------------------
	| Google driver
	|--------------------------------------------------------------------------
	*/
	google: {
		driver: 'google',
		clientId: Env.get('GOOGLE_CLIENT_ID'),
		clientSecret: Env.get('GOOGLE_CLIENT_SECRET'),
		callbackUrl: `${BACKEND_DOMAIN}/google-callback`,
	},
}
RomainLanz commented

Hey @TheoA816! 👋🏻

Cookies are not cross-domain.
Your frontend and backend must be on the same (sub-)domain to work.

Also, you must use SameSite with LAX.

And lastly, I am not sure about the onrender.com cookie policy, but maybe you will have more chances with a custom domain.

TheoA816 commented

Had to do with my FE and BE not being on the same domain. Accessed the backend through a proxy and everything worked fine. Thanks for the comment!

  • 👍1