From fa40f8c2ac9fdfb3ae41eea9af6aa8f251bfb282 Mon Sep 17 00:00:00 2001 From: ndom91 Date: Sat, 6 Nov 2021 02:01:55 +0100 Subject: [PATCH 1/4] feat: add info about cookie chunking --- docs/configuration/options.md | 4 ++-- docs/faq.md | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/configuration/options.md b/docs/configuration/options.md index 704c5943..850b4a93 100644 --- a/docs/configuration/options.md +++ b/docs/configuration/options.md @@ -402,8 +402,6 @@ When set to `true` (the default for all site URLs that start with `https://`) th This option defaults to `false` on URLs that start with `http://` (e.g. `http://localhost:3000`) for developer convenience. -You can manually set this option to `false` to disable this security feature and allow cookies to be accessible from non-secured URLs (this is not recommended). - :::note Properties on any custom `cookies` that are specified override this option. ::: @@ -421,6 +419,8 @@ Setting this option to _false_ in production is a security risk and may allow se #### Description +Cookies in NextAuth.js are chunked by default, meaning that once they reach the 4kb limit, we will create a new cookie with the `.{number}` suffix and reassemble the cookies in the correct order when parsing / reading them. This was introduced to avoid size constraints which can occur when users want to store additional custom fields in their sessionToken, for example, or enable encryption, which adds size overhead. + You can override the default cookie names and options for any of the cookies used by NextAuth.js. This is an advanced option and using it is not recommended as you may break authentication or introduce security flaws into your application. diff --git a/docs/faq.md b/docs/faq.md index 01a3439c..8245363f 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -345,7 +345,7 @@ JSON Web Tokens can be used for session tokens, but are also used for lots of ot

-By default tokens are signed (JWS) but not encrypted (JWE), as encryption adds additional overhead and reduces the amount of space available to store data (total cookie size for a domain is limited to 4KB). +By default tokens are signed (JWS) but not encrypted (JWE), as encryption adds additional overhead and reduces the amount of space available to store data (total cookie size for a domain is limited to 4KB). Since v4 we have implemented cookie chunking so that cookies over the 4kb limit get split and reassembled upon reading them. As there is practically no limit to cookie size anymore, we strongly recommend enabling and keeping enabled jwt encryption. - JSON Web Tokens in NextAuth.js use JWS and are signed using HS512 with an auto-generated key. From e76f03329a5a07b81f4881a043d18d0109469686 Mon Sep 17 00:00:00 2001 From: ndom91 Date: Fri, 12 Nov 2021 22:50:23 +0100 Subject: [PATCH 2/4] docs: address PR comments --- docs/configuration/options.md | 2 +- docs/faq.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/configuration/options.md b/docs/configuration/options.md index 850b4a93..b62ec647 100644 --- a/docs/configuration/options.md +++ b/docs/configuration/options.md @@ -419,7 +419,7 @@ Setting this option to _false_ in production is a security risk and may allow se #### Description -Cookies in NextAuth.js are chunked by default, meaning that once they reach the 4kb limit, we will create a new cookie with the `.{number}` suffix and reassemble the cookies in the correct order when parsing / reading them. This was introduced to avoid size constraints which can occur when users want to store additional custom fields in their sessionToken, for example, or enable encryption, which adds size overhead. +Cookies in NextAuth.js are chunked by default, meaning that once they reach the 4kb limit, we will create a new cookie with the `.{number}` suffix and reassemble the cookies in the correct order when parsing / reading them. This was introduced to avoid size constraints which can occur when users want to store additional data in their sessionToken, for example. You can override the default cookie names and options for any of the cookies used by NextAuth.js. diff --git a/docs/faq.md b/docs/faq.md index 8245363f..cfb4aba7 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -345,7 +345,7 @@ JSON Web Tokens can be used for session tokens, but are also used for lots of ot

-By default tokens are signed (JWS) but not encrypted (JWE), as encryption adds additional overhead and reduces the amount of space available to store data (total cookie size for a domain is limited to 4KB). Since v4 we have implemented cookie chunking so that cookies over the 4kb limit get split and reassembled upon reading them. As there is practically no limit to cookie size anymore, we strongly recommend enabling and keeping enabled jwt encryption. +By default tokens are signed (JWS) but not encrypted (JWE), as encryption adds additional overhead and reduces the amount of space available to store data (total cookie size for a domain is limited to 4KB). Since v4 we have implemented cookie chunking so that cookies over the 4kb limit get split and reassembled upon parsing. - JSON Web Tokens in NextAuth.js use JWS and are signed using HS512 with an auto-generated key. From 089c767410d0927ec22f87c4c722483cf353cd58 Mon Sep 17 00:00:00 2001 From: ndom91 Date: Sat, 13 Nov 2021 13:35:18 +0100 Subject: [PATCH 3/4] docs(faq): fix jwt faq info --- docs/faq.md | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/docs/faq.md b/docs/faq.md index cfb4aba7..0fb8344c 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -345,11 +345,7 @@ JSON Web Tokens can be used for session tokens, but are also used for lots of ot

-By default tokens are signed (JWS) but not encrypted (JWE), as encryption adds additional overhead and reduces the amount of space available to store data (total cookie size for a domain is limited to 4KB). Since v4 we have implemented cookie chunking so that cookies over the 4kb limit get split and reassembled upon parsing. - -- JSON Web Tokens in NextAuth.js use JWS and are signed using HS512 with an auto-generated key. - -- If encryption is enabled by setting `jwt: { encryption: true }` option then the JWT will _also_ use JWE to encrypt the token, using A256GCM with an auto-generated key. +By default tokens are not signed (JWS) but are encrypted (JWE). Since v4 we have implemented cookie chunking so that cookies over the 4kb limit get split and reassembled upon parsing. You can specify other valid algorithms - [as specified in RFC 7518](https://tools.ietf.org/html/rfc7517) - with either a secret (for symmetric encryption) or a public/private key pair (for a symmetric encryption). From 49f3538bd293d697537e9464b08f4b82c7dc8815 Mon Sep 17 00:00:00 2001 From: ndom91 Date: Sat, 13 Nov 2021 13:37:22 +0100 Subject: [PATCH 4/4] fix: jwt options desc --- docs/configuration/options.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuration/options.md b/docs/configuration/options.md index b62ec647..32bf17a6 100644 --- a/docs/configuration/options.md +++ b/docs/configuration/options.md @@ -113,7 +113,7 @@ session: { JSON Web Tokens can be used for session tokens if enabled with `session: { jwt: true }` option. JSON Web Tokens are enabled by default if you have not specified a database. -By default JSON Web Tokens are signed (JWS) but not encrypted (JWE), as JWT encryption adds additional overhead and comes with some caveats. You can enable encryption by setting `encryption: true`. +By default JSON Web Tokens are not signed (JWS) but are encrypted (JWE). #### JSON Web Token Options