File tree Expand file tree Collapse file tree 2 files changed +29
-1
lines changed Expand file tree Collapse file tree 2 files changed +29
-1
lines changed Original file line number Diff line number Diff line change @@ -181,6 +181,34 @@ It detaches the ACM certificate from our ALB listener and then deletes the ACM c
181181
182182It's a necessary step to ensure that we don't waste AWS resources and also provide safety regarding the custom domain access to Stacker News.
183183
184+ # Auth Sync
185+
186+ Cross-domain JWT authentication is a complex issue due to browser security restrictions, mainly because cookies:
187+ - are bound to specific domains
188+ - -- cookie property of ` stacker.news ` - ** DON'T EAT**
189+
190+ and
191+
192+ - can't be set for another domain
193+ - -- ` stacker.news ` <- cookie -> ` pizza.com ` 🚫
194+
195+ Instead of fighting these restrictions, Auth Sync works with them by creating a whole new session:
196+ - user visits ` pizza.com/login `
197+ - middleware redirects to auth sync ** on the main domain** accessing that domain cookies
198+ - -- ` https://stacker.news/api/auth/sync?domain=pizza.com&redirectUri=/items/212142 `
199+ - checks if pizza.com is an ** allowed domain**
200+ - checks if there's a session
201+ - -- if not: redirects to ` stacker.news/login ` with ` /api/auth/sync ` as callback to continue syncing
202+ - auth sync creates a short-lived verification token and redirects back to the custom domain with the ` token ` parameter
203+ - -- ` https://pizza.com/?token=42424242&redirectUri=/items/212142 `
204+ - middleware exchanges this token for a session, ** setting the session cookie** on pizza.com
205+ - -- ` POST: https://stacker.news/api/auth/sync; token: 42424242 `
206+
207+
208+ This design focuses on security as the verification token is a one-time code that dies in ** 5 minutes** and has ** 256 bits** of entropy. The JWT is then generated server-side and applied to the final middleware response.
209+
210+
211+
184212# Neat stuff
185213
186214### Let's go HTTPS with a reverse proxy
Original file line number Diff line number Diff line change @@ -5,7 +5,7 @@ import { encode as encodeJWT, getToken } from 'next-auth/jwt'
55import { validateSchema , customDomainSchema } from '@/lib/validate'
66
77const SN_MAIN_DOMAIN = new URL ( process . env . NEXT_PUBLIC_URL )
8- const SYNC_TOKEN_MAX_AGE = 60 // 1 minute
8+ const SYNC_TOKEN_MAX_AGE = 60 * 5 // 5 minutes
99
1010export default async function handler ( req , res ) {
1111 try {
You can’t perform that action at this time.
0 commit comments