Merge pull request #4 from fells-code/cookie-update

Bccorb · web-flow · commit db32b2e659c5 · 2025-12-14T00:32:36.000-05:00
Cookie update
diff --git a/packages/express/package-lock.json b/packages/express/package-lock.json
diff --git a/packages/express/package.json b/packages/express/package.json
@@ -1,14 +1,14 @@
 {
   "name": "@seamless-auth/express",
-  "version": "0.0.2-beta.3",
+  "version": "0.0.2-beta.5",
   "description": "Express adapter for Seamless Auth passwordless authentication",
   "license": "MIT",
   "type": "module",
   "main": "dist/index.js",
   "types": "./dist/index.d.ts",
   "author": "Fells Code LLC",
   "scripts": {
-    "build": "tsup src/index.ts --format esm --out-dir dist --dts --splitting",
+    "build": "tsup src/index.ts --format esm --out-dir dist --splitting",
     "dev": "tsc --watch"
   },
   "repository": {
diff --git a/packages/express/src/createServer.ts b/packages/express/src/createServer.ts
@@ -37,6 +37,7 @@ import { verifySignedAuthResponse } from "./internal/verifySignedAuthResponse";
  * ```ts
  * app.use("/auth", createSeamlessAuthServer({
  *   authServerUrl: "https://identifier.seamlessauth.com",
+ *   cookieDomain: "mycompany.com",
  *   accesscookieName: "sa_access",
  *   registrationCookieName: "sa_registration",
  *   refreshCookieName: "sa_refresh",
@@ -45,6 +46,7 @@ import { verifySignedAuthResponse } from "./internal/verifySignedAuthResponse";
  *
  * @param opts - Configuration options for the Seamless Auth proxy:
  *   - `authServerUrl` — Base URL of your Seamless Auth instance (required)
+ *   - `cookieDomain` — Domain attribute applied to all auth cookies
  *   - `accesscookieName` — Name of the session access cookie
  *   - `registrationCookieName` — Name of the ephemeral registration cookie
  *   - `refreshCookieName` — Name of the refresh token cookie
@@ -61,14 +63,18 @@ export function createSeamlessAuthServer(
 
   const {
     authServerUrl,
+    cookieDomain = "",
     accesscookieName = "seamless-access",
     registrationCookieName = "seamless-ephemeral",
     refreshCookieName = "seamless-refresh",
     preAuthCookieName = "seamless-ephemeral",
   } = opts;
 
   const proxy =
-    (path: string, method: "GET" | "POST" | "PUT" | "DELETE" = "POST") =>
+    (
+      path: string,
+      method: "GET" | "POST" | "PUT" | "PATCH" | "DELETE" = "POST"
+    ) =>
     async (req: Request, res: Response) => {
       try {
         const response = await authFetch(req, `${authServerUrl}/${path}`, {
@@ -84,6 +90,7 @@ export function createSeamlessAuthServer(
   r.use(
     createEnsureCookiesMiddleware({
       authServerUrl,
+      cookieDomain,
       accesscookieName,
       registrationCookieName,
       refreshCookieName,
@@ -99,6 +106,8 @@ export function createSeamlessAuthServer(
   r.post("/otp/verify-email-otp", proxy("otp/verify-email-otp"));
   r.post("/login", login);
   r.post("/users/update", proxy("users/update"));
+  r.post("/users/credentials", proxy("users/credentials"));
+  r.delete("/users/credentials", proxy("users/credentials"));
   r.post("/registration/register", register);
   r.get("/users/me", me);
   r.get("/logout", logout);
@@ -123,7 +132,13 @@ export function createSeamlessAuthServer(
       throw new Error("Signature mismatch with data payload");
     }
 
-    setSessionCookie(res, { sub: data.sub }, data.ttl, preAuthCookieName);
+    setSessionCookie(
+      res,
+      { sub: data.sub },
+      cookieDomain,
+      data.ttl,
+      preAuthCookieName
+    );
     res.status(204).end();
   }
 
@@ -135,7 +150,13 @@ export function createSeamlessAuthServer(
     const data = (await up.json()) as any;
     if (!up.ok) return res.status(up.status).json(data);
 
-    setSessionCookie(res, { sub: data.sub }, data.ttl, registrationCookieName);
+    setSessionCookie(
+      res,
+      { sub: data.sub },
+      cookieDomain,
+      data.ttl,
+      registrationCookieName
+    );
     res.status(200).json(data).end();
   }
 
@@ -163,13 +184,15 @@ export function createSeamlessAuthServer(
     setSessionCookie(
       res,
       { sub: data.sub, roles: data.roles },
+      cookieDomain,
       data.ttl,
       accesscookieName
     );
 
     setSessionCookie(
       res,
       { sub: data.sub, refreshToken: data.refreshToken },
+      cookieDomain,
       data.refreshTtl,
       refreshCookieName
     );
@@ -192,6 +215,7 @@ export function createSeamlessAuthServer(
     setSessionCookie(
       res,
       { sub: data.sub, roles: data.roles },
+      cookieDomain,
       data.ttl,
       accesscookieName
     );
@@ -205,6 +229,7 @@ export function createSeamlessAuthServer(
 
     clearAllCookies(
       res,
+      cookieDomain,
       accesscookieName,
       registrationCookieName,
       refreshCookieName
@@ -218,8 +243,8 @@ export function createSeamlessAuthServer(
     });
     const data = (await up.json()) as any;
 
-    clearSessionCookie(res, preAuthCookieName);
+    clearSessionCookie(res, cookieDomain, preAuthCookieName);
     if (!data.user) return res.status(401).json({ error: "unauthenticated" });
-    res.json({ user: data.user });
+    res.json({ user: data.user, credentials: data.credentials });
   }
 }
diff --git a/packages/express/src/internal/authFetch.ts b/packages/express/src/internal/authFetch.ts
@@ -2,7 +2,7 @@ import jwt from "jsonwebtoken";
 import { CookieRequest } from "../middleware/ensureCookies";
 
 export interface AuthFetchOptions {
-  method?: "GET" | "POST" | "PUT" | "DELETE";
+  method?: "GET" | "POST" | "PUT" | "DELETE" | "PATCH";
   body?: any;
   cookies?: string[];
   headers?: Record<string, string>;
diff --git a/packages/express/src/internal/cookie.ts b/packages/express/src/internal/cookie.ts
@@ -11,6 +11,7 @@ export interface CookiePayload {
 export function setSessionCookie(
   res: Response,
   payload: CookiePayload,
+  domain?: string,
   ttlSeconds = 300,
   name = "sa_session"
 ) {
@@ -20,6 +21,8 @@ export function setSessionCookie(
     throw new Error("Missing required env SEAMLESS_COOKIE_SIGNING_KEY");
   }
 
+  console.debug("[SeamlessAuth] Domain check... ", domain);
+
   const token = jwt.sign(payload, COOKIE_SECRET, {
     algorithm: "HS256",
     expiresIn: `${ttlSeconds}s`,
@@ -30,6 +33,7 @@ export function setSessionCookie(
     secure: process.env.NODE_ENV === "production",
     sameSite: process.env.NODE_ENV === "production" ? "none" : "lax",
     path: "/",
+    domain,
     maxAge: ttlSeconds * 1000,
   });
 }
@@ -44,11 +48,13 @@ export function clearSessionCookie(
 
 export function clearAllCookies(
   res: Response,
+  domain: string,
   accesscookieName: string,
   registrationCookieName: string,
   refreshCookieName: string
 ) {
-  res.clearCookie(accesscookieName, { path: "/" });
-  res.clearCookie(registrationCookieName, { path: "/" });
-  res.clearCookie(refreshCookieName, { path: "/" });
+  console.debug("[SeamlessAuth] clearing cookies");
+  res.clearCookie(accesscookieName, { domain, path: "/" });
+  res.clearCookie(registrationCookieName, { domain, path: "/" });
+  res.clearCookie(refreshCookieName, { domain, path: "/" });
 }
diff --git a/packages/express/src/internal/getSeamlessUser.ts b/packages/express/src/internal/getSeamlessUser.ts
@@ -1,6 +1,4 @@
-import type { Request } from "express";
 import { authFetch } from "./authFetch.js";
-import { verifySignedAuthResponse } from "./verifySignedAuthResponse.js";
 import { CookieRequest } from "../middleware/ensureCookies.js";
 import { verifyCookieJwt } from "./verifyCookieJwt.js";
 
diff --git a/packages/express/src/middleware/ensureCookies.ts b/packages/express/src/middleware/ensureCookies.ts
@@ -41,8 +41,9 @@ export function createEnsureCookiesMiddleware(opts: SeamlessAuthServerOptions) {
     req: CookieRequest,
     res: Response,
     next: NextFunction,
-    cookieDomain = ""
+    cookieDomain = opts.cookieDomain || ""
   ) {
+    console.debug("[SeamlessAuth] Ensuring cookies domain...", cookieDomain);
     const match = Object.entries(COOKIE_REQUIREMENTS).find(([path]) =>
       req.path.startsWith(path)
     );
@@ -65,6 +66,7 @@ export function createEnsureCookiesMiddleware(opts: SeamlessAuthServerOptions) {
         if (!refreshed?.token) {
           clearAllCookies(
             res,
+            cookieDomain,
             name,
             opts.registrationCookieName!,
             opts.refreshCookieName!
@@ -81,13 +83,15 @@ export function createEnsureCookiesMiddleware(opts: SeamlessAuthServerOptions) {
             token: refreshed.token,
             roles: refreshed.roles,
           },
+          cookieDomain,
           refreshed.ttl,
           name
         );
 
         setSessionCookie(
           res,
           { sub: refreshed.sub, refreshToken: refreshed.refreshToken },
+          cookieDomain,
           refreshed.refreshTtl,
           opts.refreshCookieName!
         );
diff --git a/packages/express/src/middleware/requireAuth.ts b/packages/express/src/middleware/requireAuth.ts
@@ -126,13 +126,15 @@ export function requireAuth(
             token: refreshed.token,
             roles: refreshed.roles,
           },
+          cookieDomain,
           refreshed.ttl,
           cookieName
         );
 
         setSessionCookie(
           res,
           { sub: refreshed.sub, refreshToken: refreshed.refreshToken },
+          req.hostname,
           refreshed.refreshTtl,
           refreshCookieName
         );
