SSR Oauth in Nextjs not working properly | Appwrite | Page 1

spice palm Jul 8, 2024, 11:14 PM

#

Hi,

export async function GET(request: NextRequest) {
  const userId = request.nextUrl.searchParams.get("userId");
  const secret = request.nextUrl.searchParams.get("secret");

  if (!userId || !secret) {
    return NextResponse.json({ error: "Invalid request" }, { status: 400 });
  }

  const { account } = await createAdminClient();
  const session = await account.createSession(userId, secret);

  cookies().set("my-custom-session", session.secret, {
    path: "/",
    httpOnly: true,
    sameSite: "strict",
    secure: true,
  });

  return NextResponse.redirect(`${request.nextUrl.origin}/`);
}

this code redirectes user to home page, but actually when redirected at the same time i am calling


export async function getLoggedInUser() {
  try {
    const { account } = await createSessionClient();
    return await account.get();
  } catch (error) {
    console.log(error);
    return null;
  }

this function and this function return null, after refresh its still returns null. But when i enter url to browser and login again it works

#

user is updated

#

i dont understand, i followed docs and its not working

#

  cookies().set("my-custom-session", session.secret, {
    path: "/",
    httpOnly: true,
    sameSite: "lax",
    secure: true,
  });

would that be good option?

river yoke Jul 10, 2024, 9:54 AM

#

<@&634618551491100692> please, any idea, we are stuck. It is working but we have no idea if it is the most secure implementation

spice palm Jul 10, 2024, 9:55 AM

#

i meant in nextjs strict not working
when redirected and cookie was added
browser still is in old state
and is not consistent to new cookie
that was successfuly added
thats why i changed strict to lax and it was working
actually, i didnot have time and not searched about that attributes
i copied everything from docs, maybe docs need to update

#

in docs 'strict' was written, dunno if u tested this before u wrote that in docs

thorny smelt Jul 10, 2024, 9:56 AM

#

Does it work if you refresh the page after logging in?

spice palm Jul 10, 2024, 9:56 AM

#

nope

#

in 'strict' mode

#

refreshing not working

thorny smelt Jul 10, 2024, 9:57 AM

#

Do you have the code for createSessionClient()?

spice palm Jul 10, 2024, 9:57 AM

#

but if i enter url from address bar

#

export async function createSessionClient() {
  const client = new Client()
    .setEndpoint(process.env.NEXT_PUBLIC_APPWRITE_ENDPOINT!)
    .setProject(process.env.NEXT_PUBLIC_APPWRITE_PROJECT!);

  const session = cookies().get("my-custom-session");
  if (!session || !session.value) {
    throw new Error("No session");
  }

  client.setSession(session.value);

  return {
    get account() {
      return new Account(client);
    },
  };
}```

thorny smelt Jul 10, 2024, 9:58 AM

#

spice palm but if i enter url from address bar

It works if you enter the URL from the address bar?

spice palm Jul 10, 2024, 9:58 AM

#

yep

thorny smelt Jul 10, 2024, 10:00 AM

#

Try this change after you set the cookie

const response = NextResponse.redirect(`${request.nextUrl.origin}/`);
response.cookies.set("my-custom-session", session.secret);
return response;

spice palm Jul 10, 2024, 10:01 AM

#

i thought about that, i did not try

#

lets test it

#

should i also pass

#

expire date and other attributes?

thorny smelt Jul 10, 2024, 10:03 AM

#

I don't think it's needed at this point, I've only tested it with just the value so best to see if that works before we start adding anything else to it

spice palm Jul 10, 2024, 10:05 AM

#

it would work if it doesnt set attribute as 'strict'

#

thats why i asked

#

okay working

#

#

as i said

#

its working because sameSite is None

#

  response.cookies.set("my-custom-session", session.secret, {
    sameSite: "strict",
  });

#

i have this and its not working again

thorny smelt Jul 10, 2024, 10:08 AM

#

Hmm... this does seem like it could be a security issue though as this would make it a cross-site cookie

spice palm Jul 10, 2024, 10:09 AM

#

Yep, dont know a lot about these stuff

#

Is there any solution for that

thorny smelt Jul 10, 2024, 10:12 AM

#

Let me take a look and see if I can find a solution, this looks like it's more likely to be a Next issue

spice palm Jul 10, 2024, 10:16 AM

#

i wrote about that on nextjs server as well

lucid forge Jul 11, 2024, 12:56 AM

#

Are you using cloud? what is your SDK version?

river yoke Jul 11, 2024, 9:36 AM

#

No, self-hosted

#

1.5.7

river yoke Jul 11, 2024, 9:36 AM

#

lucid forge Are you using cloud? what is your SDK version?

is cloud using different sdk?

lucid forge Jul 11, 2024, 11:47 AM

#

Cloud isn't using a different ask however your project could have a old version, SSR had some problems a it was solved in one of the latest versions

spice palm Jul 11, 2024, 3:11 PM

#

everything is latest

lucid forge Jul 11, 2024, 5:01 PM

#

After the user is logged, can you see the cookie in the browser?

Can you look the value of const session = cookies().get("my-custom-session"); in createSessionClient

The problem seems like the SDK isn't getting the right session

spice palm Jul 11, 2024, 6:00 PM

#

okay i will see later

elder widget Oct 30, 2024, 6:46 AM

#

If the sameSite is "Lax" or not present it works. Else it does not.
cookie is not retrieved inside the createSessionClient in the initial redirect.

But after Oauth login, refresh works when the same site is set. Please help

elder widget Oct 30, 2024, 7:09 AM

#

https://hrishikeshpathak.com/blog/gotchas-with-same-site-strict-cookie-and-oauth/

Gotchas With Same Site Strict Cookie and OAuth

Same site strict cookie gives some protection agains cross site request forgery attack. But sometimes, this behaviour gives some gotchas to web developers. In this blog we are discussing a Strict same site cookie gotcha in OAuth flow.

#SSR Oauth in Nextjs not working properly