Skip to content

feat(auth): implement __Secure and __Host cookies#10

Merged
halvaradop merged 3 commits intomasterfrom
feat/add-secure-cookies
Nov 20, 2025
Merged

feat(auth): implement __Secure and __Host cookies#10
halvaradop merged 3 commits intomasterfrom
feat/add-secure-cookies

Conversation

@halvaradop
Copy link
Copy Markdown
Member

@halvaradop halvaradop commented Nov 19, 2025
edited
Loading

Description

This pull request implements secure cookies across all authentication workflows of the library, including:
signIn, callback, session, and signOut — the currently supported endpoints in Aura Auth.

These security prefixes follow modern standards and provide additional guarantees beyond regular cookie options. They also offer compatibility benefits for older browser user-agents, as described in the HTTP State Management Mechanism specification. The prefixes inform the browser how the cookie must be treated, both in client-to-server and server-to-client communication.

Supported Prefixes

  • __Secure- — Indicates that the cookie must be sent only over secure contexts (HTTPS).
    Read more

  • __Host- — A stricter variant of __Secure-. Cookies using this prefix:

    • must not include a Domain attribute
    • must use Path=/
    • must be sent over secure contexts
      Read more

Cookie Configuration

To support secure cookie behaviors, this PR also adds new cookie configuration options.
Users can customize them under config.cookies, which accepts the following structure:

interface CookieOptions {
  name: string
  flag: "standard" | "secure" | "host"
  options: {
    secure: boolean
    maxAge: number
    expires: number
    domain: string
    path: string
    httpOnly: boolean
    partitioned: boolean
    sameSite: string
  }
}

Explains of CookieOptions

  • name: The cookie name. Defaults to "aura-stack".
  • flag: Determines the security level of the cookie. Default: "standard".
    • secure — Automatically prepends __Secure-
    • host — Automatically prepends __Host- and enforces:
      • path="/",
      • no domain,
      • secure: true
    • standard — Allows full manual configuration of cookie attributes
  • options: The cookie attributes. These are type-sensitive and adapt automatically depending on the flag chosen.

Resources

Note

Aura Auth automatically enforces secure cookies whenever a secure HTTPS connection is detected, even if the user manually disables the secure flag. This prevents misconfigurations and ensures safe defaults.

@vercel
Copy link
Copy Markdown
Contributor

vercel Bot commented Nov 19, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
auth Ready Ready Preview Comment Nov 20, 2025 3:23pm

@halvaradop halvaradop merged commit da0b594 into master Nov 20, 2025
2 checks passed
@halvaradop halvaradop deleted the feat/add-secure-cookies branch November 20, 2025 15:25
@halvaradop halvaradop added enhancement New feature or request feature New functionality security Security-related changes, vulnerability fixes, or hardening measures. labels Jan 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

enhancement New feature or request feature New functionality security Security-related changes, vulnerability fixes, or hardening measures.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@halvaradop