firebase-functions icon indicating copy to clipboard operation
firebase-functions copied to clipboard

Published 20 hours ago verified publisher icon firebase

res.cookie option with sameSite 'none' throws TypeError: option sameSite is invalid at Object.serialize

Open matjazonline opened this issue 5 years ago • 7 comments

Related issues

I found the issue for Express framework https://github.com/expressjs/express/issues/3958 and looks it was fixed there.

[REQUIRED] Version info

node: v10.16.3

firebase-tools:

8.0.0.

[REQUIRED] Test case

export const sameSiteCookie = functions.https.onRequest((req, res) => { cors(req, res, () => { const expiresIn = 60 * 60 * 24 * 5 * 1000; const options: any = { maxAge: expiresIn, httpOnly: true, secure: true, sameSite: 'none', }; res.cookie('testCKI', 'value123', options); res.end(JSON.stringify({ data: { status: 'success' } })); }); });

[REQUIRED] Steps to reproduce

calling the cloud function above

[REQUIRED] Expected behavior

set cookie value to SameSite=Never

[REQUIRED] Actual behavior

TypeError: option sameSite is invalid at Object.serialize (/worker/node_modules/cookie/index.js:174:15) at ServerResponse.res.cookie (/worker/node_modules/express/lib/response.js:853:36) at cors (/srv/lib/index.js:106:13) at cors (/srv/node_modules/cors/lib/index.js:188:7) at /srv/node_modules/cors/lib/index.js:224:17 at originCallback (/srv/node_modules/cors/lib/index.js:214:15) at /srv/node_modules/cors/lib/index.js:219:13 at optionsCallback (/srv/node_modules/cors/lib/index.js:199:9) at corsMiddleware (/srv/node_modules/cors/lib/index.js:204:7) at exports.sessionLogin.functions.https.onRequest (/srv/lib/index.js:98:5)

Were you able to successfully deploy your functions?

no error messages seen

matjazonline avatar Apr 02 '20 10:04 matjazonline

Thanks for reporting this @matjazonline. Could you also share which version of firebase-functions you are using?

This does look like a similar issue to the one that you found from Express - however, its not immediately clear to me which package is causing it here. According to that issue, this was fixed in [email protected], which firebase-functions has been using for 10 months now: https://github.com/firebase/firebase-functions/blame/master/package.json#L43

I'm going to do some further testing to see if I can repro this and figure out which package we need to update to stop this error.

joehan avatar Apr 08 '20 17:04 joehan

Hi Joehan,

I'm using [email protected] and there is also [email protected] in the same node_modules directory.

On Wed, 8 Apr 2020 at 19:02, joehan [email protected] wrote:

Thanks for reporting this @matjazonline https://github.com/matjazonline. Could you also share which version of firebase-functions you are using?

This does look like a similar issue to the one that you found from Express

  • however, its not immediately clear to me which package is causing it here. According to that issue, this was fixed in [email protected], which firebase-functions has been using for 10 months now: https://github.com/firebase/firebase-functions/blame/master/package.json#L43

From the debug logs you shared, I think this could be coming from the cors package. The latest version is 2.8.5, which came out right around when [email protected] was released, but we are on 2.8.4, which is 3 years old. Going to investigate/test further to see if we can fix this by updating cors to 2.8.5

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/firebase/firebase-functions/issues/653#issuecomment-611076358, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAIKMJWOWWWJNWEUACWQJOTRLSU4FANCNFSM4L2HXDTA .

matjazonline avatar Apr 09 '20 11:04 matjazonline

@joehan we also hit this:

TypeError: option sameSite is invalid
at Object.serialize (/worker/node_modules/cookie/index.js:174:15)
at ServerResponse.res.cookie (/worker/node_modules/express/lib/response.js:853:36)

We have "cookie": "^0.4.1" in package.json and our package-lock.json has

"cookie": {
  "version": "0.4.1",
  "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.4.1.tgz",
  "integrity": "sha512-ZwrFkGJxUR3EIoXtO+yVE69Eb7KlixbaeAWfBQB9vVsNn/o+Yw69gBWSSDK825hQNdN+wF8zELf3dFNl/kxkUA=="
},

The stack trace how ever matches the lines in older cookie lib version, so for some reason the versions are not honored when deployed to CF?

Running with "firebase-functions": "^3.6.1", and latest cli to deploy. 8 as the node engine.

swftvsn avatar Apr 30 '20 14:04 swftvsn

You can check here: https://github.com/jshttp/cookie/pull/89/files that the lines match cookie lib < 1.4.0 being used in CF.

swftvsn avatar Apr 30 '20 14:04 swftvsn

@matjazonline for the time being, you can write raw cookies (multiple) like this:

res.setHeader('set-cookie', [
 'firstCookie=' + valueForFirst + '; Max-Age=' + expiresSeconds + '; Path=/some/path/; Expires=' + expiresDate.toUTCString() + '; Secure; SameSite=None; Domain=my-domain.com; HttpOnly', 
 'secondCookie=' + valueForSecond + '; Max-Age=' + expiresSeconds + '; Path=/other/; Expires=' + expiresDate.toUTCString() + '; SameSite=Strict;'
])

etc.

swftvsn avatar May 01 '20 13:05 swftvsn

Did anyone fix this issue ?

shivanshu41 avatar Jul 29 '20 19:07 shivanshu41

The functions-framework, which I believe the Firebase functions are run on, uses express: 4.16.4 - that's no the issue is it?

Had similar problems with x-powered-by header and it turns out the functions use a child app of the functions framework app, or something like that...!

rhodgkins avatar Nov 22 '21 10:11 rhodgkins