Alright, I’ve been fighting this for a while, and tried pretty much every configuration of this.
First off, my node_env hypothesis was not true. Setting that did not help me.
I cannot get it to work. Samesite ‘Lax’, ‘Strict’, ‘None’. ‘Secure’ as either true or false. Every variation of my domain and subdomain. I’ve even set the domain through an environment variable and.
Upside is that I’ve learned a lot about CORS and the redwood logger. Downside is that this does not work.
The only thing I can think of is that I don’t have a custom domain setup (I’m on cloudfront.net still) so perhaps that’s causing some weird config error? Doesn’t make a lot of not sense but I’m at a loss.
@ahoopes16 thank you especially for your thoughts and old posts. I’ve gone through everything you’ve written on this and the relevant pr, but nothing that got me there.
Here’s my full code if you or anyone else wants to take a look. At this point I’m probably just going to assume it’s an AWS thing and try out render to see if that’s the path of less resistance. I’ll poke the flightcontrol guys to see if they have any thoughts too.
const authHandler = new DbAuthHandler(event, context, {
cors: { origin: process.env.REDWOOD_WEB_URL, credentials: true },
// Provide prisma db client
db: db,
// The name of the property you'd call on `db` to access your user table.
// i.e. if your Prisma model is named `User` this value would be `user`, as in `db.user`
authModelAccessor: 'user',
// A map of what dbAuth calls a field to what your database calls it.
// `id` is whatever column you use to uniquely identify a user (probably
// something like `id` or `userId` or even `email`)
authFields: {
id: 'id',
username: 'email',
hashedPassword: 'hashedPassword',
salt: 'salt',
resetToken: 'resetToken',
resetTokenExpiresAt: 'resetTokenExpiresAt',
},
// Specifies attributes on the cookie that dbAuth sets in order to remember
// who is logged in. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies
cookie: {
HttpOnly: true,
Path: '/',
SameSite: 'Lax',
Secure: process.env.NODE_ENV !== 'development',
// If you need to allow other domains (besides the api side) access to
// the dbAuth session cookie:
Domain:
process.env.NODE_ENV === 'development'
? 'localhost'
: process.env.COOKIE_DOMAIN,
},
And env vars in prod per my logging:
{"custom":{"cookieDomain":"cloudflare.net","nodeProcess":"production","origin":"https://[redacted].cloudfront.net"},"msg":"Cookie options"}
where origin is process.env.REDWOOD_WEB_URL
and is not redacted in the actual log.