Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support one unified cookie with a custom name, such as __session, for Firebase hosting #190

Open
maerzhase opened this issue May 28, 2021 · 4 comments
Open

Support one unified cookie with a custom name, such as __session, for Firebase hosting #190

maerzhase opened this issue May 28, 2021 · 4 comments
Labels
breaking The issue or PR will introduce a breaking change enhancement New feature or request

Comments

@maerzhase
Copy link

Describe the bug
Serverside authentication doesn't work in firebase hosting because all cookies are being stripped but a cookie named __session is allowed. Is it possible to configure cookies so this also works in firebase hosting?

From firebase docs:

When using Firebase Hosting together with Cloud Functions or Cloud Run, cookies are generally stripped from incoming requests. This is necessary to allow for efficient CDN cache behavior. Only the specially-named __session cookie is permitted to pass through to the execution of your app.

https://firebase.google.com/docs/hosting/manage-cache#using_cookies

Version
What version of next-firebase-auth are you using?
v13.1.0

To Reproduce
Steps to reproduce the behavior:

  1. Deploy examples to cloud run
  2. Setup firebase hosting for your cloud run service
  3. Visit firebase hosting domain
  4. Try out serverside authentication

Expected behavior
Being able to use server side authentication with the cookie named __session as described in firebase documentation
@kmjennison
Copy link
Contributor

Is there any way to whitelist other cookies in Firebase hosting? I didn't see one, unfortunately.

There's not currently a built-in way to set one cookie named __session, though it makes sense to support. A challenge is the underlying cookies library breaks out a second .sig cookie for signed cookies, so we'd need to combine the value and signature into one cookie. In addition, any change to cookie structure or signing needs to be backwards-compatible.

@kmjennison kmjennison added the enhancement New feature or request label May 28, 2021
@kmjennison kmjennison changed the title Use __session cookie for serverside authentication Support one unified cookie with a custom name, such as __session, for Firebase hosting May 28, 2021
@maerzhase
Copy link
Author

Jeah there is no way around it; and I am breaking my head around this crazy limitation given the fact that this problems exists for any service providing dynamic content through firebase hosting... 😱

As an intermediate solution what would you think of disabling cookie signing when using "unified cookie"?!

As far as I see it signing only makes sense when there is the possibility to separate the signature from the value.

maerzhase added a commit to maerzhase/next-firebase-auth that referenced this issue May 31, 2021
@maerzhase
implement cookies.unified option to use unified cookie
2ac7334 
a single unified cookie is required in order to make server side
authentication work in firebase hosting scenarions. since firebase
hosting only allows you to use on single cookie; cookies.signed
will default to false when cookies.unified is set to true

- related to github.com/gladly-team/issues/190
@maerzhase maerzhase mentioned this issue May 31, 2021
Closed
@kmjennison
Copy link
Contributor

I think the right approach would be for this package to always use a single cookie and allow the user to customize the cookie's full name, not just the prefix (as it does now).

See #192 (comment) for more discussion.

@kmjennison kmjennison added the breaking The issue or PR will introduce a breaking change label Aug 7, 2021
@kmjennison kmjennison mentioned this issue Aug 7, 2021
Closed
24 tasks
jjerror-sequoia pushed a commit to jjerror-sequoia/next-firebase-auth that referenced this issue Jan 29, 2022
@maerzhase @jjerror-sequoia
implement cookies.unified option to use unified cookie
2c65bab 
a single unified cookie is required in order to make server side
authentication work in firebase hosting scenarions. since firebase
hosting only allows you to use on single cookie; cookies.signed
will default to false when cookies.unified is set to true

- related to github.com/gladly-team/issues/190
@hunghvu hunghvu mentioned this issue Mar 16, 2022
Closed
jjerror-sequoia pushed a commit to jjerror-sequoia/next-firebase-auth that referenced this issue Aug 6, 2022
@maerzhase @jjerror-sequoia
implement cookies.unified option to use unified cookie
00797ad 
a single unified cookie is required in order to make server side
authentication work in firebase hosting scenarions. since firebase
hosting only allows you to use on single cookie; cookies.signed
will default to false when cookies.unified is set to true

- related to github.com/gladly-team/issues/190
@husseyexplores husseyexplores mentioned this issue May 27, 2023
Closed
@kmjennison
Copy link
Contributor

This might be made unnecessary if we implement #287.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
breaking The issue or PR will introduce a breaking change enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@maerzhase @kmjennison