From d5044ce1d5fd9f557f9db53a47ce16b98bb896c2 Mon Sep 17 00:00:00 2001
From: Eldad Fux <eldad.fux@gmail.com>
Date: Tue, 14 Jan 2020 22:50:49 +0200
Subject: [PATCH] Added support for SameSite cookie option

---
 app/controllers/api/account.php | 17 +++++++++++++----
 app/controllers/api/auth.php    | 10 +++++-----
 app/controllers/api/teams.php   |  5 ++++-
 app/init.php                    |  7 +++++--
 4 files changed, 27 insertions(+), 12 deletions(-)

diff --git a/app/controllers/api/account.php b/app/controllers/api/account.php
index 648025a40..eb5c0dea9 100644
--- a/app/controllers/api/account.php
+++ b/app/controllers/api/account.php
@@ -384,6 +384,7 @@ $utopia->post('/v1/account/sessions')
             
             $response
                 ->addCookie(Auth::$cookieName, Auth::encodeSession($profile->getUid(), $secret), $expiry, '/', COOKIE_DOMAIN, ('https' == $request->getServer('REQUEST_SCHEME', 'https')), true, COOKIE_SAMESITE)
+                ->addCookie(Auth::$cookieName.'_legacy', Auth::encodeSession($profile->getUid(), $secret), $expiry, '/', COOKIE_DOMAIN, ('https' == $request->getServer('REQUEST_SCHEME', 'https')), true, null)
                 ->setStatusCode(Response::STATUS_CODE_CREATED)
                 ->json($session->getArrayCopy(['$uid', 'type', 'expire']))
             ;
@@ -612,9 +613,9 @@ $utopia->get('/v1/account/sessions/oauth/:provider/redirect')
 
             $response
                 ->addCookie(Auth::$cookieName, Auth::encodeSession($user->getUid(), $secret), $expiry, '/', COOKIE_DOMAIN, ('https' == $request->getServer('REQUEST_SCHEME', 'https')), true, COOKIE_SAMESITE)
+                ->addCookie(Auth::$cookieName.'_legacy', Auth::encodeSession($user->getUid(), $secret), $expiry, '/', COOKIE_DOMAIN, ('https' == $request->getServer('REQUEST_SCHEME', 'https')), true, null)
+                ->redirect($state['success'])
             ;
-
-            $response->redirect($state['success']);
         }
     );
 
@@ -827,6 +828,7 @@ $utopia->delete('/v1/account')
 
             $response
                 ->addCookie(Auth::$cookieName, '', time() - 3600, '/', COOKIE_DOMAIN, ('https' == $request->getServer('REQUEST_SCHEME', 'https')), true, COOKIE_SAMESITE)
+                ->addCookie(Auth::$cookieName.'_legacy', '', time() - 3600, '/', COOKIE_DOMAIN, ('https' == $request->getServer('REQUEST_SCHEME', 'https')), true, null)
                 ->noContent()
             ;
         }
@@ -862,7 +864,10 @@ $utopia->delete('/v1/account/sessions')
                 ;
 
                 if ($token->getAttribute('secret') == Auth::hash(Auth::$secret)) { // If current session delete the cookies too
-                    $response->addCookie(Auth::$cookieName, '', time() - 3600, '/', COOKIE_DOMAIN, ('https' == $request->getServer('REQUEST_SCHEME', 'https')), true, COOKIE_SAMESITE);
+                    $response
+                        ->addCookie(Auth::$cookieName, '', time() - 3600, '/', COOKIE_DOMAIN, ('https' == $request->getServer('REQUEST_SCHEME', 'https')), true, COOKIE_SAMESITE)
+                        ->addCookie(Auth::$cookieName.'_legacy', '', time() - 3600, '/', COOKIE_DOMAIN, ('https' == $request->getServer('REQUEST_SCHEME', 'https')), true, null)
+                    ;
                 }
             }
 
@@ -902,7 +907,10 @@ $utopia->delete('/v1/account/sessions/:id')
                     ;
 
                     if ($token->getAttribute('secret') == Auth::hash(Auth::$secret)) { // If current session delete the cookies too
-                        $response->addCookie(Auth::$cookieName, '', time() - 3600, '/', COOKIE_DOMAIN, ('https' == $request->getServer('REQUEST_SCHEME', 'https')), true, COOKIE_SAMESITE);
+                        $response
+                            ->addCookie(Auth::$cookieName, '', time() - 3600, '/', COOKIE_DOMAIN, ('https' == $request->getServer('REQUEST_SCHEME', 'https')), true, COOKIE_SAMESITE)
+                            ->addCookie(Auth::$cookieName.'_legacy', '', time() - 3600, '/', COOKIE_DOMAIN, ('https' == $request->getServer('REQUEST_SCHEME', 'https')), true, null)
+                        ;
                     }
                 }
             }
@@ -938,6 +946,7 @@ $utopia->delete('/v1/account/sessions/current')
 
             $response
                 ->addCookie(Auth::$cookieName, '', time() - 3600, '/', COOKIE_DOMAIN, ('https' == $request->getServer('REQUEST_SCHEME', 'https')), true, COOKIE_SAMESITE)
+                ->addCookie(Auth::$cookieName.'_legacy', '', time() - 3600, '/', COOKIE_DOMAIN, ('https' == $request->getServer('REQUEST_SCHEME', 'https')), true, null)
                 ->noContent()
             ;
         }
diff --git a/app/controllers/api/auth.php b/app/controllers/api/auth.php
index 2074c7a96..82664d5be 100644
--- a/app/controllers/api/auth.php
+++ b/app/controllers/api/auth.php
@@ -177,7 +177,7 @@ $utopia->post('/v1/auth/register')
             ;
 
             $response
-                ->addCookie(Auth::$cookieName, Auth::encodeSession($user->getUid(), $loginSecret), $expiry, '/', COOKIE_DOMAIN, ('https' == $request->getServer('REQUEST_SCHEME', 'https')), true, COOKIE_SAMESITE);
+                ->addCookie(Auth::$cookieName, Auth::encodeSession($user->getUid(), $loginSecret), $expiry, '/', COOKIE_DOMAIN, ('https' == $request->getServer('REQUEST_SCHEME', 'https')), true, null);
 
             if ($success) {
                 $response->redirect($success);
@@ -375,7 +375,7 @@ $utopia->post('/v1/auth/login')
             ;
 
             $response
-                ->addCookie(Auth::$cookieName, Auth::encodeSession($profile->getUid(), $secret), $expiry, '/', COOKIE_DOMAIN, ('https' == $request->getServer('REQUEST_SCHEME', 'https')), true, COOKIE_SAMESITE);
+                ->addCookie(Auth::$cookieName, Auth::encodeSession($profile->getUid(), $secret), $expiry, '/', COOKIE_DOMAIN, ('https' == $request->getServer('REQUEST_SCHEME', 'https')), true, null);
 
             if ($success) {
                 $response->redirect($success);
@@ -608,7 +608,7 @@ $utopia->get('/v1/auth/login/oauth/:provider/redirect')
             ;
 
             $response
-                ->addCookie(Auth::$cookieName, Auth::encodeSession($user->getUid(), $secret), $expiry, '/', COOKIE_DOMAIN, ('https' == $request->getServer('REQUEST_SCHEME', 'https')), true, COOKIE_SAMESITE)
+                ->addCookie(Auth::$cookieName, Auth::encodeSession($user->getUid(), $secret), $expiry, '/', COOKIE_DOMAIN, ('https' == $request->getServer('REQUEST_SCHEME', 'https')), true, null)
             ;
 
             $response->redirect($state['success']);
@@ -641,7 +641,7 @@ $utopia->delete('/v1/auth/logout')
             $audit->setParam('event', 'auth.logout');
 
             $response
-                ->addCookie(Auth::$cookieName, '', time() - 3600, '/', COOKIE_DOMAIN, ('https' == $request->getServer('REQUEST_SCHEME', 'https')), true, COOKIE_SAMESITE)
+                ->addCookie(Auth::$cookieName, '', time() - 3600, '/', COOKIE_DOMAIN, ('https' == $request->getServer('REQUEST_SCHEME', 'https')), true, null)
                 ->json(array('result' => 'success'))
             ;
         }
@@ -671,7 +671,7 @@ $utopia->delete('/v1/auth/logout/:id')
                     ;
 
                     if ($token->getAttribute('secret') == Auth::hash(Auth::$secret)) { // If current session delete cookies
-                        $response->addCookie(Auth::$cookieName, '', time() - 3600, '/', COOKIE_DOMAIN, ('https' == $request->getServer('REQUEST_SCHEME', 'https')), true, COOKIE_SAMESITE);
+                        $response->addCookie(Auth::$cookieName, '', time() - 3600, '/', COOKIE_DOMAIN, ('https' == $request->getServer('REQUEST_SCHEME', 'https')), true, null);
                     }
                 }
             }
diff --git a/app/controllers/api/teams.php b/app/controllers/api/teams.php
index 55b590a4e..a4b25c78b 100644
--- a/app/controllers/api/teams.php
+++ b/app/controllers/api/teams.php
@@ -594,7 +594,10 @@ $utopia->patch('/v1/teams/:teamId/memberships/:inviteId/status')
                 ->setParam('event', 'auth.join')
             ;
 
-            $response->addCookie(Auth::$cookieName, Auth::encodeSession($user->getUid(), $secret), $expiry, '/', COOKIE_DOMAIN, ('https' == $request->getServer('REQUEST_SCHEME', 'https')), true, COOKIE_SAMESITE);
+            $response
+                ->addCookie(Auth::$cookieName, Auth::encodeSession($user->getUid(), $secret), $expiry, '/', COOKIE_DOMAIN, ('https' == $request->getServer('REQUEST_SCHEME', 'https')), true, COOKIE_SAMESITE)
+                ->addCookie(Auth::$cookieName.'_legacy', Auth::encodeSession($user->getUid(), $secret), $expiry, '/', COOKIE_DOMAIN, ('https' == $request->getServer('REQUEST_SCHEME', 'https')), true, null)
+            ;
 
             if ($success) {
                 $response->redirect($success);
diff --git a/app/init.php b/app/init.php
index 46d659ea4..54a0f7b04 100644
--- a/app/init.php
+++ b/app/init.php
@@ -56,7 +56,7 @@ define('COOKIE_DOMAIN',
     )
         ? null
         : '.'.parse_url($scheme.'://'.$request->getServer('HTTP_HOST', ''), PHP_URL_HOST));
-define('COOKIE_SAMESITE', null); // Response::COOKIE_SAMESITE_NONE
+define('COOKIE_SAMESITE', Response::COOKIE_SAMESITE_NONE);
 
 /*
  * Registry
@@ -222,7 +222,10 @@ if (APP_MODE_ADMIN === $mode) {
     Auth::setCookieName('a_session_'.$console->getUid());
 }
 
-$session = Auth::decodeSession($request->getCookie(Auth::$cookieName, $request->getHeader('X-Appwrite-Key', '')));
+$session = Auth::decodeSession(
+    $request->getCookie(Auth::$cookieName, // Get sessions
+        $request->getCookie(Auth::$cookieName.'_legacy', // Get fallback session from old clients (no SameSite support)
+            $request->getHeader('X-Appwrite-Key', '')))); // Get API Key
 Auth::$unique = $session['id'];
 Auth::$secret = $session['secret'];