fix: infinite redirect when logging in

by setting `Same-Site=Lax`: https://bugs.chromium.org/p/chromium/issues/detail?id=696204#c41
discord-tickets · Mar 13, 2023 · 757f77f · 757f77f
1 parent 6773d9d
commit 757f77f
Showing 1 changed file with 11 additions and 11 deletions.
diff --git a/src/routes/auth/callback.js b/src/routes/auth/callback.js
@@ -6,6 +6,8 @@ module.exports.get = () => ({
 			access_token: accessToken,
 			expires_in: expiresIn,
 		} = await this.discord.getAccessTokenFromAuthorizationCodeFlow(req);
+		const redirect = this.states.get(req.query.state) || '/';
+		this.states.delete(req.query.state);
 		const user = await (await fetch('https://discordapp.com/api/users/@me', { headers: { 'Authorization': `Bearer ${accessToken}` } })).json();
 		const token = this.jwt.sign({
 			accessToken,
@@ -16,16 +18,14 @@ module.exports.get = () => ({
 			locale: user.locale,
 			username: user.username,
 		});
-		res
-			.setCookie('token', token, {
-				domain,
-				httpOnly: true,
-				maxAge: expiresIn,
-				path: '/',
-				sameSite: true,
-				secure: false,
-			})
-			.redirect(this.states.get(req.query.state) || '/');
-		this.states.delete(req.query.state);
+		res.setCookie('token', token, {
+			domain,
+			httpOnly: true,
+			maxAge: expiresIn,
+			path: '/',
+			sameSite: 'Lax',
+			secure: false,
+		});
+		return res.redirect(303, redirect);
 	},
 });