@propelauth/nextjs 0.1.7 → 0.1.9

Sign up to get free protection for your applications and to get access to all the features.
Files changed (13) hide show
  1. package/LICENSE +21 -0
  2. package/dist/server/app-router/index.js +98 -40
  3. package/dist/server/app-router/index.js.map +1 -1
  4. package/dist/server/app-router/index.mjs +100 -40
  5. package/dist/server/app-router/index.mjs.map +1 -1
  6. package/dist/server/index.d.ts +2 -1
  7. package/dist/server/index.js.map +1 -1
  8. package/dist/server/index.mjs.map +1 -1
  9. package/dist/server/pages/index.js +26 -8
  10. package/dist/server/pages/index.js.map +1 -1
  11. package/dist/server/pages/index.mjs +26 -8
  12. package/dist/server/pages/index.mjs.map +1 -1
  13. package/package.json +2 -2
package/LICENSE ADDED
@@ -0,0 +1,21 @@
1
+ MIT License
2
+
3
+ Copyright (c) 2024 PropelAuth
4
+
5
+ Permission is hereby granted, free of charge, to any person obtaining a copy
6
+ of this software and associated documentation files (the "Software"), to deal
7
+ in the Software without restriction, including without limitation the rights
8
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9
+ copies of the Software, and to permit persons to whom the Software is
10
+ furnished to do so, subject to the following conditions:
11
+
12
+ The above copyright notice and this permission notice shall be included in all
13
+ copies or substantial portions of the Software.
14
+
15
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21
+ SOFTWARE.
package/dist/server/app-router/index.js CHANGED
@@ -1,10 +1,27 @@
1
1
  "use strict";
2
2
  var __create = Object.create;
3
3
  var __defProp = Object.defineProperty;
4
+ var __defProps = Object.defineProperties;
4
5
  var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
6
+ var __getOwnPropDescs = Object.getOwnPropertyDescriptors;
5
7
  var __getOwnPropNames = Object.getOwnPropertyNames;
8
+ var __getOwnPropSymbols = Object.getOwnPropertySymbols;
6
9
  var __getProtoOf = Object.getPrototypeOf;
7
10
  var __hasOwnProp = Object.prototype.hasOwnProperty;
11
+ var __propIsEnum = Object.prototype.propertyIsEnumerable;
12
+ var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
13
+ var __spreadValues = (a, b) => {
14
+ for (var prop in b || (b = {}))
15
+ if (__hasOwnProp.call(b, prop))
16
+ __defNormalProp(a, prop, b[prop]);
17
+ if (__getOwnPropSymbols)
18
+ for (var prop of __getOwnPropSymbols(b)) {
19
+ if (__propIsEnum.call(b, prop))
20
+ __defNormalProp(a, prop, b[prop]);
21
+ }
22
+ return a;
23
+ };
24
+ var __spreadProps = (a, b) => __defProps(a, __getOwnPropDescs(b));
8
25
  var __export = (target, all) => {
9
26
  for (var name in all)
10
27
  __defProp(target, name, { get: all[name], enumerable: true });
@@ -317,7 +334,6 @@ var CUSTOM_HEADER_FOR_PATH = "x-propelauth-current-path";
317
334
  var RETURN_TO_PATH_COOKIE_NAME = "__pa_return_to_path";
318
335
  var COOKIE_OPTIONS = {
319
336
  httpOnly: true,
320
- sameSite: "lax",
321
337
  secure: true,
322
338
  path: "/"
323
339
  };
@@ -352,6 +368,22 @@ function getVerifierKey() {
352
368
  }
353
369
  return verifierKey.replace(/\\n/g, "\n");
354
370
  }
371
+ function getSameSiteCookieValue() {
372
+ const sameSiteOverride = process.env.PROPELAUTH_SAME_SITE_COOKIE_OVERRIDE;
373
+ if (sameSiteOverride === "none") {
374
+ return "none";
375
+ } else if (sameSiteOverride === "lax") {
376
+ return "lax";
377
+ } else if (sameSiteOverride === "strict") {
378
+ return "strict";
379
+ } else if (sameSiteOverride) {
380
+ throw new Error(
381
+ 'Invalid value for PROPELAUTH_SAME_SITE_COOKIE_OVERRIDE, must be one of "none", "lax", or "strict"'
382
+ );
383
+ } else {
384
+ return "lax";
385
+ }
386
+ }
355
387
  function refreshTokenWithAccessAndRefreshToken(refreshToken, activeOrgId) {
356
388
  return __async(this, null, function* () {
357
389
  const body = {
@@ -491,9 +523,10 @@ function authMiddleware(req) {
491
523
  response2.cookies.delete(REFRESH_TOKEN_COOKIE_NAME);
492
524
  return response2;
493
525
  } else {
526
+ const sameSite = getSameSiteCookieValue();
494
527
  const nextResponse = getNextResponse(req, response.accessToken);
495
- nextResponse.cookies.set(ACCESS_TOKEN_COOKIE_NAME, response.accessToken, COOKIE_OPTIONS);
496
- nextResponse.cookies.set(REFRESH_TOKEN_COOKIE_NAME, response.refreshToken, COOKIE_OPTIONS);
528
+ nextResponse.cookies.set(ACCESS_TOKEN_COOKIE_NAME, response.accessToken, __spreadProps(__spreadValues({}, COOKIE_OPTIONS), { sameSite }));
529
+ nextResponse.cookies.set(REFRESH_TOKEN_COOKIE_NAME, response.refreshToken, __spreadProps(__spreadValues({}, COOKIE_OPTIONS), { sameSite }));
497
530
  return nextResponse;
498
531
  }
499
532
  }
@@ -524,6 +557,7 @@ function getRouteHandlers(args) {
524
557
  const returnToPath = req.nextUrl.searchParams.get("return_to_path");
525
558
  const state = randomState();
526
559
  const redirectUri = getRedirectUri();
560
+ const sameSite = getSameSiteCookieValue();
527
561
  const authorizeUrlSearchParams = new URLSearchParams({
528
562
  redirect_uri: redirectUri,
529
563
  state,
@@ -532,12 +566,12 @@ function getRouteHandlers(args) {
532
566
  const authorize_url = getAuthUrlOrigin() + "/propelauth/ssr/authorize?" + authorizeUrlSearchParams.toString();
533
567
  const headers2 = new Headers();
534
568
  headers2.append("Location", authorize_url);
535
- headers2.append("Set-Cookie", `${STATE_COOKIE_NAME}=${state}; Path=/; HttpOnly; Secure; SameSite=Lax`);
569
+ headers2.append("Set-Cookie", `${STATE_COOKIE_NAME}=${state}; Path=/; HttpOnly; Secure; SameSite=${sameSite}`);
536
570
  if (returnToPath) {
537
571
  if (returnToPath.startsWith("/")) {
538
572
  headers2.append(
539
573
  "Set-Cookie",
540
- `${RETURN_TO_PATH_COOKIE_NAME}=${returnToPath}; Path=/; HttpOnly; Secure; SameSite=Lax; Max-Age=600`
574
+ `${RETURN_TO_PATH_COOKIE_NAME}=${returnToPath}; Path=/; HttpOnly; Secure; SameSite=${sameSite}; Max-Age=600`
541
575
  );
542
576
  } else {
543
577
  console.warn("return_to_path must start with /");
@@ -551,6 +585,7 @@ function getRouteHandlers(args) {
551
585
  function callbackGetHandler(req) {
552
586
  return __async(this, null, function* () {
553
587
  var _a, _b, _c;
588
+ const sameSite = getSameSiteCookieValue();
554
589
  const oauthState = (_a = req.cookies.get(STATE_COOKIE_NAME)) == null ? void 0 : _a.value;
555
590
  if (!oauthState || oauthState.length !== 64) {
556
591
  return new Response(null, { status: 302, headers: { Location: LOGIN_PATH } });
@@ -609,15 +644,15 @@ function getRouteHandlers(args) {
609
644
  headers3.append("Location", returnToPath);
610
645
  headers3.append(
611
646
  "Set-Cookie",
612
- `${ACCESS_TOKEN_COOKIE_NAME}=${response2.accessToken}; Path=/; HttpOnly; Secure; SameSite=Lax`
647
+ `${ACCESS_TOKEN_COOKIE_NAME}=${response2.accessToken}; Path=/; HttpOnly; Secure; SameSite=${sameSite}`
613
648
  );
614
649
  headers3.append(
615
650
  "Set-Cookie",
616
- `${REFRESH_TOKEN_COOKIE_NAME}=${response2.refreshToken}; Path=/; HttpOnly; Secure; SameSite=Lax`
651
+ `${REFRESH_TOKEN_COOKIE_NAME}=${response2.refreshToken}; Path=/; HttpOnly; Secure; SameSite=${sameSite}`
617
652
  );
618
653
  headers3.append(
619
654
  "Set-Cookie",
620
- `${ACTIVE_ORG_ID_COOKIE_NAME}=${activeOrgId}; Path=/; HttpOnly; Secure; SameSite=Lax`
655
+ `${ACTIVE_ORG_ID_COOKIE_NAME}=${activeOrgId}; Path=/; HttpOnly; Secure; SameSite=${sameSite}`
621
656
  );
622
657
  headers3.append("Set-Cookie", getCookieForReturnToPathInCallback(returnToPathFromCookie));
623
658
  return new Response(null, {
@@ -630,15 +665,15 @@ function getRouteHandlers(args) {
630
665
  headers2.append("Location", returnToPath);
631
666
  headers2.append(
632
667
  "Set-Cookie",
633
- `${ACCESS_TOKEN_COOKIE_NAME}=${accessToken}; Path=/; HttpOnly; Secure; SameSite=Lax`
668
+ `${ACCESS_TOKEN_COOKIE_NAME}=${accessToken}; Path=/; HttpOnly; Secure; SameSite=${sameSite}`
634
669
  );
635
670
  headers2.append(
636
671
  "Set-Cookie",
637
- `${REFRESH_TOKEN_COOKIE_NAME}=${data.refresh_token}; Path=/; HttpOnly; Secure; SameSite=Lax`
672
+ `${REFRESH_TOKEN_COOKIE_NAME}=${data.refresh_token}; Path=/; HttpOnly; Secure; SameSite=${sameSite}`
638
673
  );
639
674
  headers2.append(
640
675
  "Set-Cookie",
641
- `${ACTIVE_ORG_ID_COOKIE_NAME}=; Path=/; HttpOnly; Secure; SameSite=Lax; Max-Age=0`
676
+ `${ACTIVE_ORG_ID_COOKIE_NAME}=; Path=/; HttpOnly; Secure; SameSite=${sameSite}; Max-Age=0`
642
677
  );
643
678
  headers2.append("Set-Cookie", getCookieForReturnToPathInCallback(returnToPathFromCookie));
644
679
  return new Response(null, {
@@ -660,6 +695,7 @@ function getRouteHandlers(args) {
660
695
  var _a, _b;
661
696
  const oldRefreshToken = (_a = req.cookies.get(REFRESH_TOKEN_COOKIE_NAME)) == null ? void 0 : _a.value;
662
697
  const activeOrgId = (_b = req.cookies.get(ACTIVE_ORG_ID_COOKIE_NAME)) == null ? void 0 : _b.value;
698
+ const sameSite = getSameSiteCookieValue();
663
699
  if (oldRefreshToken) {
664
700
  const refreshResponse = yield refreshTokenWithAccessAndRefreshToken(oldRefreshToken, activeOrgId);
665
701
  if (refreshResponse.error === "unexpected") {
@@ -668,15 +704,15 @@ function getRouteHandlers(args) {
668
704
  const headers3 = new Headers();
669
705
  headers3.append(
670
706
  "Set-Cookie",
671
- `${ACCESS_TOKEN_COOKIE_NAME}=; Path=/; HttpOnly; Secure; SameSite=Lax; Max-Age=0`
707
+ `${ACCESS_TOKEN_COOKIE_NAME}=; Path=/; HttpOnly; Secure; SameSite=${sameSite}; Max-Age=0`
672
708
  );
673
709
  headers3.append(
674
710
  "Set-Cookie",
675
- `${REFRESH_TOKEN_COOKIE_NAME}=; Path=/; HttpOnly; Secure; SameSite=Lax; Max-Age=0`
711
+ `${REFRESH_TOKEN_COOKIE_NAME}=; Path=/; HttpOnly; Secure; SameSite=${sameSite}; Max-Age=0`
676
712
  );
677
713
  headers3.append(
678
714
  "Set-Cookie",
679
- `${ACTIVE_ORG_ID_COOKIE_NAME}=; Path=/; HttpOnly; Secure; SameSite=Lax; Max-Age=0`
715
+ `${ACTIVE_ORG_ID_COOKIE_NAME}=; Path=/; HttpOnly; Secure; SameSite=${sameSite}; Max-Age=0`
680
716
  );
681
717
  return new Response("Unauthorized", { status: 401, headers: headers3 });
682
718
  }
@@ -702,11 +738,11 @@ function getRouteHandlers(args) {
702
738
  const headers3 = new Headers();
703
739
  headers3.append(
704
740
  "Set-Cookie",
705
- `${ACCESS_TOKEN_COOKIE_NAME}=${accessToken}; Path=/; HttpOnly; Secure; SameSite=Lax`
741
+ `${ACCESS_TOKEN_COOKIE_NAME}=${accessToken}; Path=/; HttpOnly; Secure; SameSite=${sameSite}`
706
742
  );
707
743
  headers3.append(
708
744
  "Set-Cookie",
709
- `${REFRESH_TOKEN_COOKIE_NAME}=${refreshToken}; Path=/; HttpOnly; Secure; SameSite=Lax`
745
+ `${REFRESH_TOKEN_COOKIE_NAME}=${refreshToken}; Path=/; HttpOnly; Secure; SameSite=${sameSite}`
710
746
  );
711
747
  headers3.append("Content-Type", "application/json");
712
748
  return new Response(JSON.stringify(jsonResponse), {
@@ -717,15 +753,15 @@ function getRouteHandlers(args) {
717
753
  const headers3 = new Headers();
718
754
  headers3.append(
719
755
  "Set-Cookie",
720
- `${ACCESS_TOKEN_COOKIE_NAME}=; Path=/; HttpOnly; Secure; SameSite=Lax; Max-Age=0`
756
+ `${ACCESS_TOKEN_COOKIE_NAME}=; Path=/; HttpOnly; Secure; SameSite=${sameSite}; Max-Age=0`
721
757
  );
722
758
  headers3.append(
723
759
  "Set-Cookie",
724
- `${REFRESH_TOKEN_COOKIE_NAME}=; Path=/; HttpOnly; Secure; SameSite=Lax; Max-Age=0`
760
+ `${REFRESH_TOKEN_COOKIE_NAME}=; Path=/; HttpOnly; Secure; SameSite=${sameSite}; Max-Age=0`
725
761
  );
726
762
  headers3.append(
727
763
  "Set-Cookie",
728
- `${ACTIVE_ORG_ID_COOKIE_NAME}=; Path=/; HttpOnly; Secure; SameSite=Lax; Max-Age=0`
764
+ `${ACTIVE_ORG_ID_COOKIE_NAME}=; Path=/; HttpOnly; Secure; SameSite=${sameSite}; Max-Age=0`
729
765
  );
730
766
  return new Response(null, {
731
767
  status: 401,
@@ -736,9 +772,18 @@ function getRouteHandlers(args) {
736
772
  }
737
773
  }
738
774
  const headers2 = new Headers();
739
- headers2.append("Set-Cookie", `${ACCESS_TOKEN_COOKIE_NAME}=; Path=/; HttpOnly; Secure; SameSite=Lax; Max-Age=0`);
740
- headers2.append("Set-Cookie", `${REFRESH_TOKEN_COOKIE_NAME}=; Path=/; HttpOnly; Secure; SameSite=Lax; Max-Age=0`);
741
- headers2.append("Set-Cookie", `${ACTIVE_ORG_ID_COOKIE_NAME}=; Path=/; HttpOnly; Secure; SameSite=Lax; Max-Age=0`);
775
+ headers2.append(
776
+ "Set-Cookie",
777
+ `${ACCESS_TOKEN_COOKIE_NAME}=; Path=/; HttpOnly; Secure; SameSite=${sameSite}; Max-Age=0`
778
+ );
779
+ headers2.append(
780
+ "Set-Cookie",
781
+ `${REFRESH_TOKEN_COOKIE_NAME}=; Path=/; HttpOnly; Secure; SameSite=${sameSite}; Max-Age=0`
782
+ );
783
+ headers2.append(
784
+ "Set-Cookie",
785
+ `${ACTIVE_ORG_ID_COOKIE_NAME}=; Path=/; HttpOnly; Secure; SameSite=${sameSite}; Max-Age=0`
786
+ );
742
787
  return new Response(null, { status: 401 });
743
788
  });
744
789
  }
@@ -750,21 +795,22 @@ function getRouteHandlers(args) {
750
795
  console.error("postLoginPathFn returned undefined");
751
796
  return new Response("Unexpected error", { status: 500 });
752
797
  }
798
+ const sameSite = getSameSiteCookieValue();
753
799
  const refreshToken = (_a = req.cookies.get(REFRESH_TOKEN_COOKIE_NAME)) == null ? void 0 : _a.value;
754
800
  if (!refreshToken) {
755
801
  const headers2 = new Headers();
756
802
  headers2.append("Location", path);
757
803
  headers2.append(
758
804
  "Set-Cookie",
759
- `${ACCESS_TOKEN_COOKIE_NAME}=; Path=/; HttpOnly; Secure; SameSite=Lax; Max-Age=0`
805
+ `${ACCESS_TOKEN_COOKIE_NAME}=; Path=/; HttpOnly; Secure; SameSite=${sameSite}; Max-Age=0`
760
806
  );
761
807
  headers2.append(
762
808
  "Set-Cookie",
763
- `${REFRESH_TOKEN_COOKIE_NAME}=; Path=/; HttpOnly; Secure; SameSite=Lax; Max-Age=0`
809
+ `${REFRESH_TOKEN_COOKIE_NAME}=; Path=/; HttpOnly; Secure; SameSite=${sameSite}; Max-Age=0`
764
810
  );
765
811
  headers2.append(
766
812
  "Set-Cookie",
767
- `${ACTIVE_ORG_ID_COOKIE_NAME}=; Path=/; HttpOnly; Secure; SameSite=Lax; Max-Age=0`
813
+ `${ACTIVE_ORG_ID_COOKIE_NAME}=; Path=/; HttpOnly; Secure; SameSite=${sameSite}; Max-Age=0`
768
814
  );
769
815
  return new Response(null, {
770
816
  status: 302,
@@ -781,15 +827,15 @@ function getRouteHandlers(args) {
781
827
  headers2.append("Location", path);
782
828
  headers2.append(
783
829
  "Set-Cookie",
784
- `${ACCESS_TOKEN_COOKIE_NAME}=; Path=/; HttpOnly; Secure; SameSite=Lax; Max-Age=0`
830
+ `${ACCESS_TOKEN_COOKIE_NAME}=; Path=/; HttpOnly; Secure; SameSite=${sameSite}; Max-Age=0`
785
831
  );
786
832
  headers2.append(
787
833
  "Set-Cookie",
788
- `${REFRESH_TOKEN_COOKIE_NAME}=; Path=/; HttpOnly; Secure; SameSite=Lax; Max-Age=0`
834
+ `${REFRESH_TOKEN_COOKIE_NAME}=; Path=/; HttpOnly; Secure; SameSite=${sameSite}; Max-Age=0`
789
835
  );
790
836
  headers2.append(
791
837
  "Set-Cookie",
792
- `${ACTIVE_ORG_ID_COOKIE_NAME}=; Path=/; HttpOnly; Secure; SameSite=Lax; Max-Age=0`
838
+ `${ACTIVE_ORG_ID_COOKIE_NAME}=; Path=/; HttpOnly; Secure; SameSite=${sameSite}; Max-Age=0`
793
839
  );
794
840
  return new Response(null, {
795
841
  status: 302,
@@ -808,20 +854,21 @@ function getRouteHandlers(args) {
808
854
  function logoutPostHandler(req) {
809
855
  return __async(this, null, function* () {
810
856
  var _a;
857
+ const sameSite = getSameSiteCookieValue();
811
858
  const refreshToken = (_a = req.cookies.get(REFRESH_TOKEN_COOKIE_NAME)) == null ? void 0 : _a.value;
812
859
  if (!refreshToken) {
813
860
  const headers3 = new Headers();
814
861
  headers3.append(
815
862
  "Set-Cookie",
816
- `${ACCESS_TOKEN_COOKIE_NAME}=; Path=/; HttpOnly; Secure; SameSite=Lax; Max-Age=0`
863
+ `${ACCESS_TOKEN_COOKIE_NAME}=; Path=/; HttpOnly; Secure; SameSite=${sameSite}; Max-Age=0`
817
864
  );
818
865
  headers3.append(
819
866
  "Set-Cookie",
820
- `${REFRESH_TOKEN_COOKIE_NAME}=; Path=/; HttpOnly; Secure; SameSite=Lax; Max-Age=0`
867
+ `${REFRESH_TOKEN_COOKIE_NAME}=; Path=/; HttpOnly; Secure; SameSite=${sameSite}; Max-Age=0`
821
868
  );
822
869
  headers3.append(
823
870
  "Set-Cookie",
824
- `${ACTIVE_ORG_ID_COOKIE_NAME}=; Path=/; HttpOnly; Secure; SameSite=Lax; Max-Age=0`
871
+ `${ACTIVE_ORG_ID_COOKIE_NAME}=; Path=/; HttpOnly; Secure; SameSite=${sameSite}; Max-Age=0`
825
872
  );
826
873
  return new Response(null, { status: 200, headers: headers3 });
827
874
  }
@@ -845,9 +892,18 @@ function getRouteHandlers(args) {
845
892
  );
846
893
  }
847
894
  const headers2 = new Headers();
848
- headers2.append("Set-Cookie", `${ACCESS_TOKEN_COOKIE_NAME}=; Path=/; HttpOnly; Secure; SameSite=Lax; Max-Age=0`);
849
- headers2.append("Set-Cookie", `${REFRESH_TOKEN_COOKIE_NAME}=; Path=/; HttpOnly; Secure; SameSite=Lax; Max-Age=0`);
850
- headers2.append("Set-Cookie", `${ACTIVE_ORG_ID_COOKIE_NAME}=; Path=/; HttpOnly; Secure; SameSite=Lax; Max-Age=0`);
895
+ headers2.append(
896
+ "Set-Cookie",
897
+ `${ACCESS_TOKEN_COOKIE_NAME}=; Path=/; HttpOnly; Secure; SameSite=${sameSite}; Max-Age=0`
898
+ );
899
+ headers2.append(
900
+ "Set-Cookie",
901
+ `${REFRESH_TOKEN_COOKIE_NAME}=; Path=/; HttpOnly; Secure; SameSite=${sameSite}; Max-Age=0`
902
+ );
903
+ headers2.append(
904
+ "Set-Cookie",
905
+ `${ACTIVE_ORG_ID_COOKIE_NAME}=; Path=/; HttpOnly; Secure; SameSite=${sameSite}; Max-Age=0`
906
+ );
851
907
  return new Response(null, { status: 200, headers: headers2 });
852
908
  });
853
909
  }
@@ -856,11 +912,12 @@ function getRouteHandlers(args) {
856
912
  var _a;
857
913
  const oldRefreshToken = (_a = req.cookies.get(REFRESH_TOKEN_COOKIE_NAME)) == null ? void 0 : _a.value;
858
914
  const activeOrgId = req.nextUrl.searchParams.get("active_org_id");
915
+ const sameSite = getSameSiteCookieValue();
859
916
  if (!oldRefreshToken) {
860
917
  const headers2 = new Headers();
861
918
  headers2.append(
862
919
  "Set-Cookie",
863
- `${ACTIVE_ORG_ID_COOKIE_NAME}=; Path=/; HttpOnly; Secure; SameSite=Lax; Max-Age=0`
920
+ `${ACTIVE_ORG_ID_COOKIE_NAME}=; Path=/; HttpOnly; Secure; SameSite=${sameSite}; Max-Age=0`
864
921
  );
865
922
  return new Response(null, { status: 401, headers: headers2 });
866
923
  }
@@ -895,15 +952,15 @@ function getRouteHandlers(args) {
895
952
  const headers2 = new Headers();
896
953
  headers2.append(
897
954
  "Set-Cookie",
898
- `${ACCESS_TOKEN_COOKIE_NAME}=${accessToken}; Path=/; HttpOnly; Secure; SameSite=Lax`
955
+ `${ACCESS_TOKEN_COOKIE_NAME}=${accessToken}; Path=/; HttpOnly; Secure; SameSite=${sameSite}`
899
956
  );
900
957
  headers2.append(
901
958
  "Set-Cookie",
902
- `${REFRESH_TOKEN_COOKIE_NAME}=${refreshToken}; Path=/; HttpOnly; Secure; SameSite=Lax`
959
+ `${REFRESH_TOKEN_COOKIE_NAME}=${refreshToken}; Path=/; HttpOnly; Secure; SameSite=${sameSite}`
903
960
  );
904
961
  headers2.append(
905
962
  "Set-Cookie",
906
- `${ACTIVE_ORG_ID_COOKIE_NAME}=${activeOrgId}; Path=/; HttpOnly; Secure; SameSite=Lax`
963
+ `${ACTIVE_ORG_ID_COOKIE_NAME}=${activeOrgId}; Path=/; HttpOnly; Secure; SameSite=${sameSite}`
907
964
  );
908
965
  headers2.append("Content-Type", "application/json");
909
966
  return new Response(JSON.stringify(jsonResponse), {
@@ -977,10 +1034,11 @@ function getUrlEncodedRedirectPathForCurrentPath() {
977
1034
  return encodeURIComponent(path);
978
1035
  }
979
1036
  function getCookieForReturnToPathInCallback(returnToPathFromCookie) {
1037
+ const sameSite = getSameSiteCookieValue();
980
1038
  if (returnToPathFromCookie) {
981
- return `${RETURN_TO_PATH_COOKIE_NAME}=${returnToPathFromCookie}; Path=/; HttpOnly; Secure; SameSite=Lax; Max-Age=15`;
1039
+ return `${RETURN_TO_PATH_COOKIE_NAME}=${returnToPathFromCookie}; Path=/; HttpOnly; Secure; SameSite=${sameSite}; Max-Age=15`;
982
1040
  } else {
983
- return `${RETURN_TO_PATH_COOKIE_NAME}=; Path=/; HttpOnly; Secure; SameSite=Lax; Max-Age=0`;
1041
+ return `${RETURN_TO_PATH_COOKIE_NAME}=; Path=/; HttpOnly; Secure; SameSite=${sameSite}; Max-Age=0`;
984
1042
  }
985
1043
  }
986
1044
  function getCurrentPath() {