Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Function cookies are treated as cross domain #544

Closed
jimmykane opened this issue Aug 1, 2019 · 13 comments
Closed

Function cookies are treated as cross domain #544

jimmykane opened this issue Aug 1, 2019 · 13 comments
Assignees

Comments

@jimmykane
Copy link

jimmykane commented Aug 1, 2019

Related issues

https://stackoverflow.com/questions/57253593/cross-domain-state-cookie-for-oauth-using-firebase-functions-issue

[REQUIRED] Version info

10

firebase-functions:
^3.0.2

Not required

firebase-admin:

[REQUIRED] Test case

  1. Disable cross domain cookies on your browser (default on Safari)
  2. Deploy 2 functions at the same domain (as usual)
  3. Set a cookie to the client from functions A and try to read it on function B.

[REQUIRED] Steps to reproduce

  1. Disable cross domain cookies on your browser (default on Safari)
  2. Deploy 2 functions at the same domain (as usual)
  3. Set a cookie to the client from functions A and try to read it on function B.

[REQUIRED] Expected behavior

Get the same when cross domain cookies are enabled

[REQUIRED] Actual behavior

Cannot share cookie

Were you able to successfully deploy your functions?

YES


In detail

I am implementing a oAuth login for a user for the firebase platform.

All works fine except if the user has disabled cross domain cookies.

Here is what I did.

  1. From my domain/app the user gets redirected to a cloud function.
  2. The could function sets the state cookie and redirects the user to the oAuth provider.
  3. The user signs in to the oAuth provider and gets redirected back to another function to get the code etc. And here is the problem

On step 3 above the function cannot read any cookie if the user has disabled the cross domain party cookies from his browser.
Both functions are on the same domain as seen below in the screenshot.

image

Is there any way I can remedy this issue? Am I doing something wrong in my approach?

I cannot understand why the 2 functions are treated as crossdomain.

@google-oss-bot
Copy link
Collaborator

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

@kevinajian
Copy link
Contributor

@jimmykane sorry to hear you're having this issue. Can you provide a reproducible example so I can try to test this out?

@kevinajian kevinajian added api: functions Needs: Author Feedback Issues awaiting author feedback and removed needs-triage labels Aug 1, 2019
@kevinajian kevinajian self-assigned this Aug 1, 2019
@jimmykane
Copy link
Author

jimmykane commented Aug 2, 2019

@kevinajian no worries.

I was guided by this example:

https://github.com/firebase/functions-samples/tree/master/instagram-auth

You can use the above example with a browser like Brave, or just disable the cross domain cookies on your current browser.

There is also the same issue there

firebase/functions-samples#569

My code over this https://github.com/jimmykane/quantified-self/tree/master/functions

Can also be realated to firebase/functions-samples#526

But here I am lost.

My main confusion, and that is why I opened this issue is why the 2 functions are treated by the browser as cross domain while they look as the same domain. (Perhaps something on firebase changes?)

@google-oss-bot google-oss-bot added Needs: Attention and removed Needs: Author Feedback Issues awaiting author feedback labels Aug 2, 2019
@kevinajian
Copy link
Contributor

I tried to repro with the instagram-auth sample on Safari (made sure the cross-site tracking was off) and the cookies were fine for me.
image

Can you share your logs with the error? And do you have any extensions enabled on Safari that could be blocking this?

@kevinajian kevinajian added Needs: Author Feedback Issues awaiting author feedback and removed Needs: Attention labels Aug 2, 2019
@kevinajian
Copy link
Contributor

Can you also try deploying the functions to us-central1? I wonder if the region is possibly causing issues here.

@jimmykane
Copy link
Author

jimmykane commented Aug 3, 2019

@kevinajian indeed with safari on OSX and cross site cookies it works.

Perhaps try the brave browser (its chromium based) and from there disable the cross domain cookies like so
Screenshot 2019-08-03 at 10 23 44

With this setting it exposes 10/10 for me

In the meanwhile I ll give a try to deploy on US-Central1 to see if there is a change.

Thanks again for your time and may you have a great weekend

@google-oss-bot google-oss-bot added Needs: Attention and removed Needs: Author Feedback Issues awaiting author feedback labels Aug 3, 2019
@kevinajian
Copy link
Contributor

This was testing Safari with cross-site tracking turned off.
Can you try this repro I made? It's set on europe-west2, so it should be similar to yours.
https://kjian-19-7-30.firebaseapp.com
The popup calls the redirect function which sets the cookie and state. The token function seems to be reading it fine for me.

I'm actually running into issues getting the Brave browser working, so I'll followup on that when possible.

@kevinajian kevinajian added Needs: Author Feedback Issues awaiting author feedback and removed Needs: Attention labels Aug 5, 2019
@jimmykane
Copy link
Author

@kevinajian tried to auth with the link. Did you get any errors in the logs?

@google-oss-bot google-oss-bot added Needs: Attention and removed Needs: Author Feedback Issues awaiting author feedback labels Aug 6, 2019
@jimmykane
Copy link
Author

Will be having more time later this week to continue debugging this issue. My apologies so far for not taking any action as I became a dad and trying to get some extra time.

@jimmykane
Copy link
Author

At your example with cross domain cookies on (or 3rd party as others call it) does not get the state cookie as well. So with your example is reproducible as well. I suppose you got the logs in that function (I hope :-) )

Here are some screenshots

ENABLED Cross site Cookies
Screenshot 2019-08-06 at 12 21 51

DISABLED Cross site cookies

Screenshot 2019-08-06 at 12 21 07

@jimmykane
Copy link
Author

jimmykane commented Aug 6, 2019

Trying to help a bit more here.

A user that replied on StackOverflow says:

Your Response shows a Set-Cookie header for state and signInWithService cookies without a domain attribute:

and in the code of the examples it has

res.cookie('state', state, {maxAge: 3600000, secure: secureCookie, httpOnly: true});

Could that be the case?

@jimmykane
Copy link
Author

@kevinajian I think this gets more complicated and in the end does not look like a cloud function issue

Please read the awarded answer https://stackoverflow.com/questions/57253593/cross-domain-state-cookie-issue-for-oauth-using-firebase-functions-while-on-the/57349498?noredirect=1#comment101255088_57349498

Feel free to close this if you agree and thanks already for your time

@kevinajian
Copy link
Contributor

I think what was even more confusing was that I saw your test passing in my logs. My simple case was just setting the state cookie and printing it out.
In your image with the cross site cookies disabled (state = a5a6bcf...)
image
My logs show the cookie being set and read:
image

What that answer says makes sense. Glad they were able to help you out, and will close this out.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants