[docs] Reflect new structure of cookie config object since RW 6.4 (#1…

…1781) See #9248 --------- Co-authored-by: Tobbe Lundberg <[email protected]>
redwoodjs · Dec 16, 2024 · 8b7a0cf · 8b7a0cf
1 parent 65057dd
commit 8b7a0cf
Show file tree

Hide file tree

Showing 8 changed files with 223 additions and 135 deletions.
diff --git a/docs/docs/auth/dbauth.md b/docs/docs/auth/dbauth.md
@@ -316,14 +316,19 @@ These options determine how the cookie that tracks whether the client is authori
 
 ```javascript
 cookie: {
-  HttpOnly: true,
-  Path: '/',
-  SameSite: 'Strict',
-  Secure: true,
-  // Domain: 'example.com',
+  attributes: {
+    HttpOnly: true,
+    Path: '/',
+    SameSite: 'Strict',
+    Secure: true,
+    // Domain: 'example.com',
+  },
+  // name: 'session_%port%',
 }
 ```
 
+As shown above the cookie name defaults to `'session_%port%'` but can also be customized, where `%port%` will be replaced with the port the api server is running on.
+
 ### CORS config
 
 If you're using dbAuth and your api and web sides are deployed to different domains then you'll need to configure CORS for both GraphQL in general and dbAuth. You'll also need to enable a couple of options to be sure and send/accept credentials in XHR requests. For more info, see the complete [CORS doc](cors.md#cors-and-authentication).
@@ -348,15 +353,19 @@ See [WebAuthn Configuration](#function-config) section below.
 
 By default, the session cookie will not have the `Domain` property set, which a browser will default to be the [current domain only](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#define_where_cookies_are_sent). If your site is spread across multiple domains (for example, your site is at `example.com` but your api-side is deployed to `api.example.com`) you'll need to explicitly set a Domain so that the cookie is accessible to both.
 
-To do this, set the `cookie.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example:
+To do this, set the `cookie.attributes.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example:
 
-```json title="api/src/functions/auth.js"
+```js title="api/src/functions/auth.js"
 cookie: {
-  HttpOnly: true,
-  Path: '/',
-  SameSite: 'Strict',
-  Secure: process.env.NODE_ENV !== 'development' ? true : false,
-  Domain: 'example.com'
+  attributes: {
+    HttpOnly: true,
+    Path: '/',
+    SameSite: 'Strict',
+    Secure: process.env.NODE_ENV !== 'development' ? true : false,
+    // highlight-next-line
+    Domain: 'example.com'
+  },
+  // name: 'session_%port%'
 }
 ```
 
@@ -552,10 +561,12 @@ export const handler = async (event, context) => {
     },
 
     cookie: {
-      HttpOnly: true,
-      Path: '/',
-      SameSite: 'Strict',
-      Secure: process.env.NODE_ENV !== 'development' ? true : false,
+      attributes: {
+        HttpOnly: true,
+        Path: '/',
+        SameSite: 'Strict',
+        Secure: process.env.NODE_ENV !== 'development' ? true : false,
+      },
     },
 
     forgotPassword: forgotPasswordOptions,

diff --git a/docs/versioned_docs/version-6.x/auth/dbauth.md b/docs/versioned_docs/version-6.x/auth/dbauth.md
@@ -283,16 +283,21 @@ By default no setting is required. This is because each db has its own rules for
 
 These options determine how the cookie that tracks whether the client is authorized is stored in the browser. The default configuration should work for most use cases. If you serve your web and api sides from different domains you'll need to make some changes: set `SameSite` to `None` and then add [CORS configuration](#cors-config).
 
-```javascript
+```js title="api/src/functions/auth.js"
 cookie: {
-  HttpOnly: true,
-  Path: '/',
-  SameSite: 'Strict',
-  Secure: true,
-  // Domain: 'example.com',
+  attributes: {
+    HttpOnly: true,
+    Path: '/',
+    SameSite: 'Strict',
+    Secure: true,
+    // Domain: 'example.com',
+  },
+  // name: 'session_%port%' 
 }
 ```
 
+As shown above the cookie name defaults to `'session_%port%'` but can also be customized, where `%port%` will be replaced with the port the api server is running on.
+
 ### CORS config
 
 If you're using dbAuth and your api and web sides are deployed to different domains then you'll need to configure CORS for both GraphQL in general and dbAuth. You'll also need to enable a couple of options to be sure and send/accept credentials in XHR requests. For more info, see the complete [CORS doc](cors.md#cors-and-authentication).
@@ -317,15 +322,19 @@ See [WebAuthn Configuration](#function-config) section below.
 
 By default, the session cookie will not have the `Domain` property set, which a browser will default to be the [current domain only](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#define_where_cookies_are_sent). If your site is spread across multiple domains (for example, your site is at `example.com` but your api-side is deployed to `api.example.com`) you'll need to explicitly set a Domain so that the cookie is accessible to both.
 
-To do this, set the `cookie.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example:
+To do this, set the `cookie.attributes.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example:
 
-```json title="api/src/functions/auth.js"
+```js title="api/src/functions/auth.js"
 cookie: {
-  HttpOnly: true,
-  Path: '/',
-  SameSite: 'Strict',
-  Secure: process.env.NODE_ENV !== 'development' ? true : false,
-  Domain: 'example.com'
+  attributes: {
+    HttpOnly: true,
+    Path: '/',
+    SameSite: 'Strict',
+    Secure: process.env.NODE_ENV !== 'development' ? true : false,
+    // highlight-next-line
+    Domain: 'example.com'
+  },
+  // name: 'session_%port%'
 }
 ```
 
@@ -520,10 +529,12 @@ export const handler = async (event, context) => {
     },
 
     cookie: {
-      HttpOnly: true,
-      Path: '/',
-      SameSite: 'Strict',
-      Secure: process.env.NODE_ENV !== 'development' ? true : false,
+      attributes: {
+        HttpOnly: true,
+        Path: '/',
+        SameSite: 'Strict',
+        Secure: process.env.NODE_ENV !== 'development' ? true : false,
+      }
     },
 
     forgotPassword: forgotPasswordOptions,

diff --git a/docs/versioned_docs/version-7.x/auth/dbauth.md b/docs/versioned_docs/version-7.x/auth/dbauth.md
@@ -311,16 +311,21 @@ By default no setting is required. This is because each db has its own rules for
 
 These options determine how the cookie that tracks whether the client is authorized is stored in the browser. The default configuration should work for most use cases. If you serve your web and api sides from different domains you'll need to make some changes: set `SameSite` to `None` and then add [CORS configuration](#cors-config).
 
-```javascript
+```js title="api/src/functions/auth.js"
 cookie: {
-  HttpOnly: true,
-  Path: '/',
-  SameSite: 'Strict',
-  Secure: true,
-  // Domain: 'example.com',
+  attributes: {
+    HttpOnly: true,
+    Path: '/',
+    SameSite: 'Strict',
+    Secure: true,
+    // Domain: 'example.com',
+  },
+  // name: 'session_%port%' 
 }
 ```
 
+As shown above the cookie name defaults to `'session_%port%'` but can also be customized, where `%port%` will be replaced with the port the api server is running on.
+
 ### CORS config
 
 If you're using dbAuth and your api and web sides are deployed to different domains then you'll need to configure CORS for both GraphQL in general and dbAuth. You'll also need to enable a couple of options to be sure and send/accept credentials in XHR requests. For more info, see the complete [CORS doc](cors.md#cors-and-authentication).
@@ -345,15 +350,19 @@ See [WebAuthn Configuration](#function-config) section below.
 
 By default, the session cookie will not have the `Domain` property set, which a browser will default to be the [current domain only](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#define_where_cookies_are_sent). If your site is spread across multiple domains (for example, your site is at `example.com` but your api-side is deployed to `api.example.com`) you'll need to explicitly set a Domain so that the cookie is accessible to both.
 
-To do this, set the `cookie.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example:
+To do this, set the `cookie.attributes.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example:
 
-```json title="api/src/functions/auth.js"
+```js title="api/src/functions/auth.js"
 cookie: {
-  HttpOnly: true,
-  Path: '/',
-  SameSite: 'Strict',
-  Secure: process.env.NODE_ENV !== 'development' ? true : false,
-  Domain: 'example.com'
+  attributes: {
+    HttpOnly: true,
+    Path: '/',
+    SameSite: 'Strict',
+    Secure: process.env.NODE_ENV !== 'development' ? true : false,
+    // highlight-next-line
+    Domain: 'example.com'
+  },
+  // name: 'session_%port%'
 }
 ```
 
@@ -550,10 +559,12 @@ export const handler = async (event, context) => {
     },
 
     cookie: {
-      HttpOnly: true,
-      Path: '/',
-      SameSite: 'Strict',
-      Secure: process.env.NODE_ENV !== 'development' ? true : false,
+      attributes: {
+        HttpOnly: true,
+        Path: '/',
+        SameSite: 'Strict',
+        Secure: process.env.NODE_ENV !== 'development' ? true : false,
+      }
     },
 
     forgotPassword: forgotPasswordOptions,

diff --git a/docs/versioned_docs/version-8.0/auth/dbauth.md b/docs/versioned_docs/version-8.0/auth/dbauth.md
@@ -314,16 +314,21 @@ By default no setting is required. This is because each db has its own rules for
 
 These options determine how the cookie that tracks whether the client is authorized is stored in the browser. The default configuration should work for most use cases. If you serve your web and api sides from different domains you'll need to make some changes: set `SameSite` to `None` and then add [CORS configuration](#cors-config).
 
-```javascript
+```js title="api/src/functions/auth.js"
 cookie: {
-  HttpOnly: true,
-  Path: '/',
-  SameSite: 'Strict',
-  Secure: true,
-  // Domain: 'example.com',
+  attributes: {
+    HttpOnly: true,
+    Path: '/',
+    SameSite: 'Strict',
+    Secure: true,
+    // Domain: 'example.com',
+  },
+  // name: 'session_%port%' 
 }
 ```
 
+As shown above the cookie name defaults to `'session_%port%'` but can also be customized, where `%port%` will be replaced with the port the api server is running on.
+
 ### CORS config
 
 If you're using dbAuth and your api and web sides are deployed to different domains then you'll need to configure CORS for both GraphQL in general and dbAuth. You'll also need to enable a couple of options to be sure and send/accept credentials in XHR requests. For more info, see the complete [CORS doc](cors.md#cors-and-authentication).
@@ -348,15 +353,19 @@ See [WebAuthn Configuration](#function-config) section below.
 
 By default, the session cookie will not have the `Domain` property set, which a browser will default to be the [current domain only](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#define_where_cookies_are_sent). If your site is spread across multiple domains (for example, your site is at `example.com` but your api-side is deployed to `api.example.com`) you'll need to explicitly set a Domain so that the cookie is accessible to both.
 
-To do this, set the `cookie.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example:
+To do this, set the `cookie.attributes.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example:
 
-```json title="api/src/functions/auth.js"
+```js title="api/src/functions/auth.js"
 cookie: {
-  HttpOnly: true,
-  Path: '/',
-  SameSite: 'Strict',
-  Secure: process.env.NODE_ENV !== 'development' ? true : false,
-  Domain: 'example.com'
+  attributes: {
+    HttpOnly: true,
+    Path: '/',
+    SameSite: 'Strict',
+    Secure: process.env.NODE_ENV !== 'development' ? true : false,
+    // highlight-next-line
+    Domain: 'example.com'
+  },
+  // name: 'session_%port%'
 }
 ```
 
@@ -552,10 +561,12 @@ export const handler = async (event, context) => {
     },
 
     cookie: {
-      HttpOnly: true,
-      Path: '/',
-      SameSite: 'Strict',
-      Secure: process.env.NODE_ENV !== 'development' ? true : false,
+      attributes: {
+        HttpOnly: true,
+        Path: '/',
+        SameSite: 'Strict',
+        Secure: process.env.NODE_ENV !== 'development' ? true : false,
+      }
     },
 
     forgotPassword: forgotPasswordOptions,

diff --git a/docs/versioned_docs/version-8.1/auth/dbauth.md b/docs/versioned_docs/version-8.1/auth/dbauth.md
@@ -314,16 +314,21 @@ By default no setting is required. This is because each db has its own rules for
 
 These options determine how the cookie that tracks whether the client is authorized is stored in the browser. The default configuration should work for most use cases. If you serve your web and api sides from different domains you'll need to make some changes: set `SameSite` to `None` and then add [CORS configuration](#cors-config).
 
-```javascript
+```js title="api/src/functions/auth.js"
 cookie: {
-  HttpOnly: true,
-  Path: '/',
-  SameSite: 'Strict',
-  Secure: true,
-  // Domain: 'example.com',
+  attributes: {
+    HttpOnly: true,
+    Path: '/',
+    SameSite: 'Strict',
+    Secure: true,
+    // Domain: 'example.com',
+  },
+  // name: 'session_%port%' 
 }
 ```
 
+As shown above the cookie name defaults to `'session_%port%'` but can also be customized, where `%port%` will be replaced with the port the api server is running on.
+
 ### CORS config
 
 If you're using dbAuth and your api and web sides are deployed to different domains then you'll need to configure CORS for both GraphQL in general and dbAuth. You'll also need to enable a couple of options to be sure and send/accept credentials in XHR requests. For more info, see the complete [CORS doc](cors.md#cors-and-authentication).
@@ -348,15 +353,19 @@ See [WebAuthn Configuration](#function-config) section below.
 
 By default, the session cookie will not have the `Domain` property set, which a browser will default to be the [current domain only](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#define_where_cookies_are_sent). If your site is spread across multiple domains (for example, your site is at `example.com` but your api-side is deployed to `api.example.com`) you'll need to explicitly set a Domain so that the cookie is accessible to both.
 
-To do this, set the `cookie.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example:
+To do this, set the `cookie.attributes.Domain` property in your `api/src/functions/auth.js` configuration, set to the root domain of your site, which will allow it to be read by all subdomains as well. For example:
 
-```json title="api/src/functions/auth.js"
+```js title="api/src/functions/auth.js"
 cookie: {
-  HttpOnly: true,
-  Path: '/',
-  SameSite: 'Strict',
-  Secure: process.env.NODE_ENV !== 'development' ? true : false,
-  Domain: 'example.com'
+  attributes: {
+    HttpOnly: true,
+    Path: '/',
+    SameSite: 'Strict',
+    Secure: process.env.NODE_ENV !== 'development' ? true : false,
+    // highlight-next-line
+    Domain: 'example.com'
+  },
+  // name: 'session_%port%'
 }
 ```
 
@@ -552,10 +561,12 @@ export const handler = async (event, context) => {
     },
 
     cookie: {
-      HttpOnly: true,
-      Path: '/',
-      SameSite: 'Strict',
-      Secure: process.env.NODE_ENV !== 'development' ? true : false,
+      attributes: {
+        HttpOnly: true,
+        Path: '/',
+        SameSite: 'Strict',
+        Secure: process.env.NODE_ENV !== 'development' ? true : false,
+      }
     },
 
     forgotPassword: forgotPasswordOptions,