Function cookies are treated as cross domain

[jimmykane]

Related issues

https://stackoverflow.com/questions/57253593/cross-domain-state-cookie-for-oauth-using-firebase-functions-issue

[REQUIRED] Version info

10

firebase-functions:
^3.0.2

Not required

firebase-admin:

[REQUIRED] Test case

1. Disable cross domain cookies on your browser (default on Safari)
2. Deploy 2 functions at the same domain (as usual)
3. Set a cookie to the client from functions A and try to read it on function B.

[REQUIRED] Steps to reproduce

1. Disable cross domain cookies on your browser (default on Safari)
2. Deploy 2 functions at the same domain (as usual)
3. Set a cookie to the client from functions A and try to read it on function B.

[REQUIRED] Expected behavior

Get the same when cross domain cookies are enabled

[REQUIRED] Actual behavior

Cannot share cookie

Were you able to successfully deploy your functions?

YES

---

In detail

I am implementing a oAuth login for a user for the firebase platform.

All works fine except if the user has disabled cross domain cookies.

Here is what I did.

1. From my domain/app the user gets redirected to a cloud function.
2. The could function sets the state cookie and redirects the user to the oAuth provider.
3. The user signs in to the oAuth provider and gets redirected back to another function to get the code etc. And here is the problem

On step 3 above the function cannot read any cookie if the user has disabled the cross domain party cookies from his browser.
Both functions are on the same domain as seen below in the screenshot.

Is there any way I can remedy this issue? Am I doing something wrong in my approach?

I cannot understand why the 2 functions are treated as crossdomain.

[google-oss-bot]

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

[kevinajian]

@jimmykane sorry to hear you're having this issue. Can you provide a reproducible example so I can try to test this out?

[jimmykane]

@kevinajian no worries.

I was guided by this example:

https://github.com/firebase/functions-samples/tree/master/instagram-auth

You can use the above example with a browser like Brave, or just disable the cross domain cookies on your current browser.

There is also the same issue there

firebase/functions-samples#569

My code over this https://github.com/jimmykane/quantified-self/tree/master/functions

Can also be realated to firebase/functions-samples#526

But here I am lost.

My main confusion, and that is why I opened this issue is why the 2 functions are treated by the browser as cross domain while they look as the same domain. (Perhaps something on firebase changes?)

[kevinajian]

I tried to repro with the instagram-auth sample on Safari (made sure the cross-site tracking was off) and the cookies were fine for me.

Can you share your logs with the error? And do you have any extensions enabled on Safari that could be blocking this?

[kevinajian]

Can you also try deploying the functions to us-central1? I wonder if the region is possibly causing issues here.

[jimmykane]

@kevinajian indeed with safari on OSX and cross site cookies it works.

Perhaps try the brave browser (its chromium based) and from there disable the cross domain cookies like so

With this setting it exposes 10/10 for me

In the meanwhile I ll give a try to deploy on US-Central1 to see if there is a change.

Thanks again for your time and may you have a great weekend

[kevinajian]

This was testing Safari with cross-site tracking turned off.
Can you try this repro I made? It's set on europe-west2, so it should be similar to yours.
https://kjian-19-7-30.firebaseapp.com
The popup calls the redirect function which sets the cookie and state. The token function seems to be reading it fine for me.

I'm actually running into issues getting the Brave browser working, so I'll followup on that when possible.

[jimmykane]

@kevinajian tried to auth with the link. Did you get any errors in the logs?

[jimmykane]

Will be having more time later this week to continue debugging this issue. My apologies so far for not taking any action as I became a dad and trying to get some extra time.

[jimmykane]

At your example with cross domain cookies on (or 3rd party as others call it) does not get the state cookie as well. So with your example is reproducible as well. I suppose you got the logs in that function (I hope :-) )

Here are some screenshots

ENABLED Cross site Cookies

DISABLED Cross site cookies

[jimmykane]

Trying to help a bit more here.

A user that replied on StackOverflow says:

Your Response shows a Set-Cookie header for state and signInWithService cookies without a domain attribute:

and in the code of the examples it has

res.cookie('state', state, {maxAge: 3600000, secure: secureCookie, httpOnly: true});

Could that be the case?

[jimmykane]

@kevinajian I think this gets more complicated and in the end does not look like a cloud function issue

Please read the awarded answer https://stackoverflow.com/questions/57253593/cross-domain-state-cookie-issue-for-oauth-using-firebase-functions-while-on-the/57349498?noredirect=1#comment101255088_57349498

Feel free to close this if you agree and thanks already for your time

[kevinajian]

I think what was even more confusing was that I saw your test passing in my logs. My simple case was just setting the state cookie and printing it out.
In your image with the cross site cookies disabled (state = a5a6bcf...)

My logs show the cookie being set and read:

What that answer says makes sense. Glad they were able to help you out, and will close this out.