feat(core): make pkce and state maxAge configurable on the cookies (#4719)

jason-brady-mythical · web-flow · commit f277989c69cd · 2022-12-01T08:02:42.000+07:00
* feat(cookies): make pkce and state maxAge configurable on the cookies (#4660) * added tests for pkce and state handlers
diff --git a/docs/docs/configuration/options.md b/docs/docs/configuration/options.md
@@ -472,7 +472,8 @@ cookies: {
       httpOnly: true,
       sameSite: 'lax',
       path: '/',
-      secure: useSecureCookies
+      secure: useSecureCookies,
+      maxAge: 900
     }
   },
   state: {
@@ -482,6 +483,7 @@ cookies: {
       sameSite: "lax",
       path: "/",
       secure: useSecureCookies,
+      maxAge: 900
     },
   },
   nonce: {
diff --git a/packages/next-auth/src/core/lib/cookie.ts b/packages/next-auth/src/core/lib/cookie.ts
@@ -93,6 +93,7 @@ export function defaultCookies(useSecureCookies: boolean): CookiesOptions {
         sameSite: "lax",
         path: "/",
         secure: useSecureCookies,
+        maxAge: 60 * 15, // 15 minutes in seconds
       },
     },
     state: {
@@ -102,6 +103,7 @@ export function defaultCookies(useSecureCookies: boolean): CookiesOptions {
         sameSite: "lax",
         path: "/",
         secure: useSecureCookies,
+        maxAge: 60 * 15, // 15 minutes in seconds
       },
     },
     nonce: {
diff --git a/packages/next-auth/src/core/lib/oauth/pkce-handler.ts b/packages/next-auth/src/core/lib/oauth/pkce-handler.ts
@@ -26,21 +26,23 @@ export async function createPKCE(options: InternalOptions<"oauth">): Promise<
   const code_verifier = generators.codeVerifier()
   const code_challenge = generators.codeChallenge(code_verifier)
 
+  const maxAge = cookies.pkceCodeVerifier.options.maxAge ?? PKCE_MAX_AGE
+
   const expires = new Date()
-  expires.setTime(expires.getTime() + PKCE_MAX_AGE * 1000)
+  expires.setTime(expires.getTime() + maxAge * 1000)
 
   // Encrypt code_verifier and save it to an encrypted cookie
   const encryptedCodeVerifier = await jwt.encode({
     ...options.jwt,
-    maxAge: PKCE_MAX_AGE,
+    maxAge,
     token: { code_verifier },
   })
 
   logger.debug("CREATE_PKCE_CHALLENGE_VERIFIER", {
     code_challenge,
     code_challenge_method: PKCE_CODE_CHALLENGE_METHOD,
     code_verifier,
-    PKCE_MAX_AGE,
+    maxAge,
   })
 
   return {
diff --git a/packages/next-auth/src/core/lib/oauth/state-handler.ts b/packages/next-auth/src/core/lib/oauth/state-handler.ts
@@ -17,17 +17,18 @@ export async function createState(
   }
 
   const state = generators.state()
+  const maxAge = cookies.state.options.maxAge ?? STATE_MAX_AGE
 
   const encodedState = await jwt.encode({
     ...jwt,
-    maxAge: STATE_MAX_AGE,
+    maxAge,
     token: { state },
   })
 
-  logger.debug("CREATE_STATE", { state, maxAge: STATE_MAX_AGE })
+  logger.debug("CREATE_STATE", { state, maxAge })
 
   const expires = new Date()
-  expires.setTime(expires.getTime() + STATE_MAX_AGE * 1000)
+  expires.setTime(expires.getTime() + maxAge * 1000)
   return {
     value: state,
     cookie: {
diff --git a/packages/next-auth/tests/pkce-handler.test.ts b/packages/next-auth/tests/pkce-handler.test.ts
@@ -0,0 +1,139 @@
+import { mockLogger } from "./lib"
+import type { InternalOptions, LoggerInstance, InternalProvider, CallbacksOptions, Account, Awaitable, Profile, Session, User, CookiesOptions } from "../src"
+import { createPKCE } from "../src/core/lib/oauth/pkce-handler"
+import { InternalUrl } from "../src/utils/parse-url"
+import { JWT, JWTDecodeParams, JWTEncodeParams, JWTOptions } from "../src/jwt"
+import { CredentialInput } from "../src/providers"
+
+let logger: LoggerInstance
+let url: InternalUrl
+let provider: InternalProvider<"oauth">
+let jwt: JWTOptions
+let callbacks: CallbacksOptions
+let cookies: CookiesOptions
+let options: InternalOptions<"oauth">
+
+beforeEach(() => {
+  logger = mockLogger()
+
+  url = {
+    origin: "http://localhost:3000",
+    host: "localhost:3000",
+    path: "/api/auth",
+    base: "http://localhost:3000/api/auth",
+    toString: () => "http://localhost:3000/api/auth"
+  }
+
+  provider = {
+    type: "oauth",
+    id: "testId",
+    name: "testName",
+    signinUrl: "/",
+    callbackUrl: "/",
+    checks: ["pkce", "state"]
+  }
+
+  jwt = {
+    secret: "secret",
+    maxAge: 0,
+    encode: function (params: JWTEncodeParams): Awaitable<string> {
+      throw new Error("Function not implemented.")
+    },
+    decode: function (params: JWTDecodeParams): Awaitable<JWT | null> {
+      throw new Error("Function not implemented.")
+    }
+  }
+
+  callbacks = {
+    signIn: function (params: { user: User; account: Account; profile: Profile & Record<string, unknown>; email: { verificationRequest?: boolean | undefined }; credentials?: Record<string, CredentialInput> | undefined }): Awaitable<string | boolean> {
+      throw new Error("Function not implemented.")
+    },
+    redirect: function (params: { url: string; baseUrl: string }): Awaitable<string> {
+      throw new Error("Function not implemented.")
+    },
+    session: function (params: { session: Session; user: User; token: JWT }): Awaitable<Session> {
+      throw new Error("Function not implemented.")
+    },
+    jwt: function (params: { token: JWT; user?: User | undefined; account?: Account | undefined; profile?: Profile | undefined; isNewUser?: boolean | undefined }): Awaitable<JWT> {
+      throw new Error("Function not implemented.")
+    }
+  }
+
+  cookies = {
+    sessionToken: { name: "", options: undefined },
+    callbackUrl: { name: "", options: undefined },
+    csrfToken: { name: "", options: undefined },
+    pkceCodeVerifier: { name: "", options: {} },
+    state: { name: "", options: undefined },
+    nonce: { name: "", options: undefined }
+  }
+
+  options = {
+    url,
+    action: "session",
+    provider,
+    secret: "",
+    debug: false,
+    logger,
+    session: { strategy: "jwt", maxAge: 0, updateAge: 0 },
+    pages: {},
+    jwt,
+    events: {},
+    callbacks,
+    cookies,
+    callbackUrl: '',
+    providers: [],
+    theme: {}
+  }
+})
+
+describe("createPKCE", () => {
+  it("returns a code challenge, code challenge method, and cookie", async () => {
+    const pkce = await createPKCE(options)
+
+    expect(pkce?.code_challenge).not.toBeNull()
+    expect(pkce?.code_challenge_method).toEqual("S256")
+    expect(pkce?.cookie).not.toBeNull()
+  })
+  it("does not return a pkce when the provider does not support pkce", async () => {
+    options.provider.checks = ["state"]
+
+    const pkce = await createPKCE(options)
+
+    expect(pkce).toBeUndefined()
+  })
+  it("sets the cookie expiration to a default of 15 minutes when the max age option is not provided", async () => {
+    const pkce = await createPKCE(options)
+
+    const defaultMaxAge = 60 * 15 // 15 minutes in seconds
+    const expires = new Date()
+    expires.setTime(expires.getTime() + defaultMaxAge * 1000)
+
+    validateCookieExpiration({pkce, expires})
+    expect(pkce?.cookie.options.maxAge).toBeUndefined()
+  })
+
+  it("sets the cookie expiration and max age to the provided max age from the options", async () => {
+    const maxAge = 60 * 20 // 20 minutes
+    cookies.pkceCodeVerifier.options.maxAge = maxAge
+
+    const pkce = await createPKCE(options)
+
+    const expires = new Date()
+    expires.setTime(expires.getTime() + maxAge * 1000)
+
+    validateCookieExpiration({pkce, expires})
+    expect(pkce?.cookie.options.maxAge).toEqual(maxAge)
+  })
+})
+
+// comparing the parts instead of getTime() because the milliseconds
+// will not match since the two Date objects are created milliseconds apart
+const validateCookieExpiration = ({pkce, expires}) => {
+  const cookieExpires = pkce?.cookie.options.expires
+  expect(cookieExpires.getFullYear()).toEqual(expires.getFullYear())
+  expect(cookieExpires.getMonth()).toEqual(expires.getMonth())
+  expect(cookieExpires.getFullYear()).toEqual(expires.getFullYear())
+  expect(cookieExpires.getHours()).toEqual(expires.getHours())
+  expect(cookieExpires.getMinutes()).toEqual(expires.getMinutes())
+}
diff --git a/packages/next-auth/tests/state-handler.test.ts b/packages/next-auth/tests/state-handler.test.ts
@@ -0,0 +1,134 @@
+import { mockLogger } from "./lib"
+import type { InternalOptions, LoggerInstance, InternalProvider, CallbacksOptions, Account, Awaitable, Profile, Session, User, CookiesOptions } from "../src"
+import { createState } from "../src/core/lib/oauth/state-handler"
+import { InternalUrl } from "../src/utils/parse-url"
+import { JWT, JWTOptions, encode, decode } from "../src/jwt"
+import { CredentialInput } from "../src/providers"
+
+let logger: LoggerInstance
+let url: InternalUrl
+let provider: InternalProvider<"oauth">
+let jwt: JWTOptions
+let callbacks: CallbacksOptions
+let cookies: CookiesOptions
+let options: InternalOptions<"oauth">
+
+beforeEach(() => {
+  logger = mockLogger()
+
+  url = {
+    origin: "http://localhost:3000",
+    host: "localhost:3000",
+    path: "/api/auth",
+    base: "http://localhost:3000/api/auth",
+    toString: () => "http://localhost:3000/api/auth"
+  }
+
+  provider = {
+    type: "oauth",
+    id: "testId",
+    name: "testName",
+    signinUrl: "/",
+    callbackUrl: "/",
+    checks: ["pkce", "state"]
+  }
+
+  jwt = {
+    secret: "secret",
+    maxAge: 0,
+    encode,
+    decode
+  }
+
+  callbacks = {
+    signIn: function (params: { user: User; account: Account; profile: Profile & Record<string, unknown>; email: { verificationRequest?: boolean | undefined }; credentials?: Record<string, CredentialInput> | undefined }): Awaitable<string | boolean> {
+      throw new Error("Function not implemented.")
+    },
+    redirect: function (params: { url: string; baseUrl: string }): Awaitable<string> {
+      throw new Error("Function not implemented.")
+    },
+    session: function (params: { session: Session; user: User; token: JWT }): Awaitable<Session> {
+      throw new Error("Function not implemented.")
+    },
+    jwt: function (params: { token: JWT; user?: User | undefined; account?: Account | undefined; profile?: Profile | undefined; isNewUser?: boolean | undefined }): Awaitable<JWT> {
+      throw new Error("Function not implemented.")
+    }
+  }
+
+  cookies = {
+    sessionToken: { name: "", options: undefined },
+    callbackUrl: { name: "", options: undefined },
+    csrfToken: { name: "", options: undefined },
+    pkceCodeVerifier: { name: "", options: undefined },
+    state: { name: "", options: {} },
+    nonce: { name: "", options: undefined }
+  }
+
+  options = {
+    url,
+    action: "session",
+    provider,
+    secret: "",
+    debug: false,
+    logger,
+    session: { strategy: "jwt", maxAge: 0, updateAge: 0 },
+    pages: {},
+    jwt,
+    events: {},
+    callbacks,
+    cookies,
+    callbackUrl: '',
+    providers: [],
+    theme: {}
+  }
+})
+
+describe("createState", () => {
+  it("returns a state, and cookie", async () => {
+    const state = await createState(options)
+
+    expect(state?.value).not.toBeNull()
+    expect(state?.cookie).not.toBeNull()
+  })
+  it("does not return a state when the provider does not support state", async () => {
+    options.provider.checks = ["pkce"]
+
+    const state = await createState(options)
+
+    expect(state).toBeUndefined()
+  })
+  it("sets the cookie expiration to a default of 15 minutes when the max age option is not provided", async () => {
+    const state = await createState(options)
+
+    const defaultMaxAge = 60 * 15 // 15 minutes in seconds
+    const expires = new Date()
+    expires.setTime(expires.getTime() + defaultMaxAge * 1000)
+
+    validateCookieExpiration({state, expires})
+    expect(state?.cookie.options.maxAge).toBeUndefined()
+  })
+
+  it("sets the cookie expiration and max age to the provided max age from the options", async () => {
+    const maxAge = 60 * 20 // 20 minutes
+    cookies.state.options.maxAge = maxAge
+
+    const state = await createState(options)
+
+    const expires = new Date()
+    expires.setTime(expires.getTime() + maxAge * 1000)
+
+    validateCookieExpiration({state, expires})
+    expect(state?.cookie.options.maxAge).toEqual(maxAge)
+  })
+})
+
+// comparing the parts instead of getTime() because the milliseconds
+// will not match since the two Date objects are created milliseconds apart
+const validateCookieExpiration = ({state, expires}) => {
+  const cookieExpires = state?.cookie.options.expires
+  expect(cookieExpires.getFullYear()).toEqual(expires.getFullYear())
+  expect(cookieExpires.getMonth()).toEqual(expires.getMonth())
+  expect(cookieExpires.getFullYear()).toEqual(expires.getFullYear())
+  expect(cookieExpires.getHours()).toEqual(expires.getHours())
+  expect(cookieExpires.getMinutes()).toEqual(expires.getMinutes())
+}
