File tree Expand file tree Collapse file tree 2 files changed +4
-3
lines changed
Expand file tree Collapse file tree 2 files changed +4
-3
lines changed Original file line number Diff line number Diff line change @@ -47,7 +47,7 @@ export const Route = createFileRoute('/api/auth/callback/$provider')({
4747 }
4848
4949 // Clear state cookie (one-time use)
50- const clearStateCookie = `oauth_state=; HttpOnly; Path=/; Max-Age=0; SameSite=Strict ${ process . env . NODE_ENV === 'production' ? '; Secure' : '' }
50+ const clearStateCookie = `oauth_state=; HttpOnly; Path=/; Max-Age=0; SameSite=Lax ${ process . env . NODE_ENV === 'production' ? '; Secure' : '' }
5151
5252 // Exchange code for access token
5353 // Use SITE_URL env var if set, otherwise fall back to request origin
Original file line number Diff line number Diff line change @@ -22,10 +22,11 @@ export const Route = createFileRoute('/auth/$provider/start')({
2222 . replace ( / = / g, '' )
2323
2424 // Store state in HTTPS-only cookie for CSRF protection
25- // SameSite=Strict prevents CSRF attacks
25+ // SameSite=Lax allows the cookie to be sent on OAuth redirects (top-level navigations)
26+ // while still protecting against CSRF on POST requests
2627 const stateCookie = `oauth_state=${ encodeURIComponent (
2728 state ,
28- ) } ; HttpOnly; Path=/; Max-Age=${ 10 * 60 } Strict ${
29+ ) } ; HttpOnly; Path=/; Max-Age=${ 10 * 60 } Lax ${
2930 process . env . NODE_ENV === 'production' ? '; Secure' : ''
3031 } `
3132
You can’t perform that action at this time.
0 commit comments