Merge pull request #232 from pow-auth/add-cookie-options-instructions

Add cookie options instructions
pow-auth · Jan 23, 2023 · 218f45d · 218f45d
2 parents 6102a3e + 9c3a57c
commit 218f45d
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -305,6 +305,25 @@ end
 
 PowAssent will pick it up in the authorization flow, and prevent creating a user if the registration path is missing.
 
+## Cookie options
+
+Cookie options are passed on to `Plug.Conn.html.put_resp_cookie/4` and can be set by using the `:auth_session_cookie_opts` setting (and `:reauthorization_cookie_opts` for the `PowAssent.Plug.Reauthorization` plug):
+
+```elixir
+config :my_app, :pow_assent,
+    auth_session_cookie_opts: [
+      secure: true,
+      extra: "SameSite=Strict"
+    ]
+
+    # If you are using the reathorization plug:
+    # reauthorization_cookie_opts: [
+    #   secure: true
+    # ]
+  ]
+]
+```
+
 ## HTTP Adapter
 
 By default Erlangs built-in `:httpc` is used for requests. SSL verification is automatically enabled when `:certifi` and `:ssl_verify_fun` packages are available. `:httpc` only supports HTTP/1.1.

diff --git a/test/pow_assent/plugs/reauthorization_test.exs b/test/pow_assent/plugs/reauthorization_test.exs
@@ -24,6 +24,7 @@ defmodule PowAssent.Plug.ReauthorizationTest do
   end
 
   @cookie_key "reauthorization_provider"
+  @custom_cookie_opts [domain: "domain.com", max_age: 1, path: "/path", http_only: false, secure: true, extra: "SameSite=Lax"]
   @default_config [
     plug: PowSession,
     user: User,
@@ -154,6 +155,25 @@ defmodule PowAssent.Plug.ReauthorizationTest do
       assert cookie = conn.resp_cookies["test_app_#{@cookie_key}"]
       assert cookie.value == "test_provider"
     end
+
+    test "with custom cookie options", %{conn: init_conn} do
+      config = Keyword.put(@default_config, :pow_assent, reauthorization_cookie_opts: @custom_cookie_opts)
+
+      conn =
+        init_conn
+        |> PowPlug.put_config(config)
+        |> init_plug()
+        |> run_callback()
+
+      assert %{
+        domain: "domain.com",
+        extra: "SameSite=Lax",
+        http_only: false,
+        max_age: 1,
+        path: "/path",
+        secure: true
+      } = conn.resp_cookies[@cookie_key]
+    end
   end
 
   defp with_reauthorization_condition(conn), do: Conn.put_private(conn, :reauthorize?, true)