Skip to content

Feature/task 159 anh #160

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
2 commits merged into from
Aug 29, 2025
Merged

Feature/task 159 anh #160

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
eb9f00d
fix: auth Incognito
anhlnp Aug 27, 2025
99d301b
fix: build
anhlnp Aug 27, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 20 additions & 6 deletions src/app.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,15 +50,29 @@ const allowedOrigins = Array.from(
app.use(
cors({
origin: function (origin: string | undefined, callback: (err: Error | null, allow?: boolean) => void) {
if (!origin || allowedOrigins.includes(origin)) {
callback(null, true);
} else {
callback(new Error('Not allowed by CORS'));
// Allow requests with no origin (like mobile apps or curl requests)
if (!origin) {
return callback(null, true);
}

// Check if origin is in allowed list
if (allowedOrigins.includes(origin)) {
return callback(null, true);
}

// For development, allow all localhost origins
if (process.env.NODE_ENV !== 'production' && origin.includes('localhost')) {
return callback(null, true);
}

// Log blocked origins for debugging
console.log('Blocked origin:', origin);
callback(new Error('Not allowed by CORS'));
},
credentials: true,
methods: ['GET', 'POST', 'PUT', 'DELETE', 'PATCH'],
allowedHeaders: ['Content-Type', 'Authorization', 'Cookie']
methods: ['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'OPTIONS'],
allowedHeaders: ['Content-Type', 'Authorization', 'Cookie', 'X-Requested-With'],
exposedHeaders: ['Set-Cookie']
})
);

Expand Down
16 changes: 8 additions & 8 deletions src/controllers/user.controller.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -242,18 +242,18 @@ export const loginUser = catchAsync(async (req: Request, res: Response, next: Ne

export const logoutUser = catchAsync(async (req: Request, res: Response, next: NextFunction) => {
res.cookie('access_token', '', {
domain: '.vercel.app',
secure: true,
sameSite: 'none',
secure: process.env.NODE_ENV === 'production',
sameSite: process.env.NODE_ENV === 'production' ? 'none' : 'lax',
httpOnly: true,
maxAge: 1
maxAge: 1,
path: '/'
});
res.cookie('refresh_token', '', {
domain: '.vercel.app',
secure: true,
sameSite: 'none',
secure: process.env.NODE_ENV === 'production',
sameSite: process.env.NODE_ENV === 'production' ? 'none' : 'lax',
httpOnly: true,
maxAge: 1
maxAge: 1,
path: '/'
});

const userId = req.user?._id || '';
Expand Down
8 changes: 5 additions & 3 deletions src/utils/jwt.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ interface ITokenOptions {
sameSite: 'lax' | 'strict' | 'none' | boolean;
secure?: boolean;
path?: string;
domain?: string;
}
const isProd = process.env.NODE_ENV === 'production';

Expand All @@ -23,8 +24,8 @@ export const accessTokenOptions: ITokenOptions = {
httpOnly: true,
secure: isProd,
path: '/',
sameSite: process.env.NODE_ENV === 'production' ? 'none' : 'lax'
// secure: process.env.NODE_ENV === 'production',
sameSite: process.env.NODE_ENV === 'production' ? 'none' : 'lax',
domain: process.env.NODE_ENV === 'production' ? undefined : undefined // Let browser set domain automatically
};
Comment on lines +27 to 29
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Aug 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Remove domain: undefined — possible TS type error under strict mode.

domain?: string cannot be explicitly assigned undefined. Omit the field when not used, or make it string | undefined. Recommend omission for clarity.

 export const accessTokenOptions: ITokenOptions = {
   ...
-    sameSite: process.env.NODE_ENV === 'production' ? 'none' : 'lax',
-    domain: process.env.NODE_ENV === 'production' ? undefined : undefined // Let browser set domain automatically
+    sameSite: process.env.NODE_ENV === 'production' ? 'none' : 'lax'
 };

 export const refreshTokenOptions: ITokenOptions = {
   ...
-    sameSite: process.env.NODE_ENV === 'production' ? 'none' : 'lax',
-    domain: process.env.NODE_ENV === 'production' ? undefined : undefined // Let browser set domain automatically
+    sameSite: process.env.NODE_ENV === 'production' ? 'none' : 'lax'
 };

Also applies to: 37-39

🤖 Prompt for AI Agents 
In src/utils/jwt.ts around lines 27-29 and 37-39, the object literal sets
domain: undefined which can trigger a TypeScript strict-mode error because
domain?: string should be omitted rather than assigned undefined; remove the
domain: undefined entries and only include domain when you have a real string
(e.g., conditionally add domain: process.env.COOKIE_DOMAIN when NODE_ENV ===
'production'), or change the type to accept undefined if you intentionally need
the key — prefer omission for clarity.


export const refreshTokenOptions: ITokenOptions = {
Expand All @@ -33,7 +34,8 @@ export const refreshTokenOptions: ITokenOptions = {
httpOnly: true,
secure: isProd,
path: '/',
sameSite: process.env.NODE_ENV === 'production' ? 'none' : 'lax'
sameSite: process.env.NODE_ENV === 'production' ? 'none' : 'lax',
domain: process.env.NODE_ENV === 'production' ? undefined : undefined // Let browser set domain automatically
};

export const sendToken = (user: UserT, statusCode: number, res: Response) => {
Expand Down