Add isSameSite to schema

[arnivuo]

Fixes #141.

[goddyZhao]

This is really helpful, but are there any workaround to make it with hapi-auth-cookie so far ? This PR has not yet been merged

[dahjelle]

Since isSameSite now defaults to true, not having this option means there is no way to get the previous behavior (i.e. not setting the SameSite attribute at all).

[arnivuo]

@goddyZhao not sure but I guess you could use npm Git URL as dependency to my fork. Or you could just copy lib/index.js into your project.

@dahjelle are you meaning that default should be false and not Strict. Because maybe there's point. My thought was that because statehood has Strict as default it would be good to reflect that here as well.

[dahjelle]

@arnivuo

are you meaning that default should be false and not Strict. Because maybe there's point.

No, I meant that with the default to isSameSite = 'Strict' and not allowing the user to change the default, there is no way to get the previous default behavior of hapi-auth-cookie which is isSameSite = false.

This PR allows the user to allow the previous behavior if desired, which, I think, is pretty important! :-D

Did that clarify?

[arnivuo]

@dahjelle Umh...yah clear know. So but you are happy with that user won't get previous behavior by default?

[arnivuo]

@jaw187 any change for merging this PR?

[kanongil]

The new behaviour won't work for me. Please allow me to configure it.

[dahjelle]

@dahjelle Umh...yah clear know. So but you are happy with that user won't get previous behavior by default?

@arnivuo Yes, I'm glad isSameSite defaults to true, even though that isn't the previous default. It's a good security improvement, and it's nice to be secure-by-default.

[arnivuo]

@kanongil I added you as a collaborator to my fork.

[kanongil]

@arnivuo Thanks, but I would prefer to get it sorted here. I have the power to merge this PR, but really @jaw187 should handle it.

@jaw187 Are you still maintaining this package?

[arnivuo]

@kanongil So what do you need me to do? Or that request wasn't for me.

[eliasmalik]

@jaw187 @kanongil will there be any movement on this? I ran into this problem too. I managed to workaround it using

const server = new Hapi.Server({ connections: { state: { isSameSite: 'Lax' } } });

but it would be nice to handle this directly in the plugin.

Thank you 👍

[lock]

This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.