res.cookie option with sameSite 'none' throws TypeError: option sameSite is invalid at Object.serialize

[matjazonline]

Related issues

I found the issue for Express framework
expressjs/express#3958
and looks it was fixed there.

[REQUIRED] Version info

node: v10.16.3

firebase-tools:

8.0.0.

[REQUIRED] Test case

export const sameSiteCookie = functions.https.onRequest((req, res) => {
cors(req, res, () => {
const expiresIn = 60 * 60 * 24 * 5 * 1000;
const options: any = {
maxAge: expiresIn,
httpOnly: true,
secure: true,
sameSite: 'none',
};
res.cookie('testCKI', 'value123', options);
res.end(JSON.stringify({
data: {
status: 'success'
}
}));
});
});

[REQUIRED] Steps to reproduce

calling the cloud function above

[REQUIRED] Expected behavior

set cookie value to SameSite=Never

[REQUIRED] Actual behavior

TypeError: option sameSite is invalid at Object.serialize (/worker/node_modules/cookie/index.js:174:15) at ServerResponse.res.cookie (/worker/node_modules/express/lib/response.js:853:36) at cors (/srv/lib/index.js:106:13) at cors (/srv/node_modules/cors/lib/index.js:188:7) at /srv/node_modules/cors/lib/index.js:224:17 at originCallback (/srv/node_modules/cors/lib/index.js:214:15) at /srv/node_modules/cors/lib/index.js:219:13 at optionsCallback (/srv/node_modules/cors/lib/index.js:199:9) at corsMiddleware (/srv/node_modules/cors/lib/index.js:204:7) at exports.sessionLogin.functions.https.onRequest (/srv/lib/index.js:98:5)

Were you able to successfully deploy your functions?

no error messages seen

[joehan]

Thanks for reporting this @matjazonline. Could you also share which version of firebase-functions you are using?

This does look like a similar issue to the one that you found from Express - however, its not immediately clear to me which package is causing it here. According to that issue, this was fixed in express@4.17.0, which firebase-functions has been using for 10 months now: https://github.com/firebase/firebase-functions/blame/master/package.json#L43

I'm going to do some further testing to see if I can repro this and figure out which package we need to update to stop this error.

[matjazonline]

Hi Joehan, I'm using firebase-functions@3.6.0 and there is also cors@2.8.5 in the same node_modules directory.

…

On Wed, 8 Apr 2020 at 19:02, joehan ***@***.***> wrote: Thanks for reporting this @matjazonline <https://github.com/matjazonline>. Could you also share which version of firebase-functions you are using? This does look like a similar issue to the one that you found from Express - however, its not immediately clear to me which package is causing it here. According to that issue, this was fixed in ***@***.***, which firebase-functions has been using for 10 months now: https://github.com/firebase/firebase-functions/blame/master/package.json#L43 From the debug logs you shared, I think this could be coming from the cors package. The latest version is 2.8.5, which came out right around when ***@***.*** was released, but we are on 2.8.4, which is 3 years old. Going to investigate/test further to see if we can fix this by updating cors to 2.8.5 — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#653 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAIKMJWOWWWJNWEUACWQJOTRLSU4FANCNFSM4L2HXDTA> .

[swftvsn]

@joehan we also hit this:

TypeError: option sameSite is invalid
at Object.serialize (/worker/node_modules/cookie/index.js:174:15)
at ServerResponse.res.cookie (/worker/node_modules/express/lib/response.js:853:36)

We have "cookie": "^0.4.1" in package.json and our package-lock.json has

"cookie": {
  "version": "0.4.1",
  "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.4.1.tgz",
  "integrity": "sha512-ZwrFkGJxUR3EIoXtO+yVE69Eb7KlixbaeAWfBQB9vVsNn/o+Yw69gBWSSDK825hQNdN+wF8zELf3dFNl/kxkUA=="
},

The stack trace how ever matches the lines in older cookie lib version, so for some reason the versions are not honored when deployed to CF?

Running with "firebase-functions": "^3.6.1", and latest cli to deploy. 8 as the node engine.

[swftvsn]

You can check here: https://github.com/jshttp/cookie/pull/89/files that the lines match cookie lib < 1.4.0 being used in CF.

[swftvsn]

@matjazonline for the time being, you can write raw cookies (multiple) like this:

res.setHeader('set-cookie', [
 'firstCookie=' + valueForFirst + '; Max-Age=' + expiresSeconds + '; Path=/some/path/; Expires=' + expiresDate.toUTCString() + '; Secure; SameSite=None; Domain=my-domain.com; HttpOnly', 
 'secondCookie=' + valueForSecond + '; Max-Age=' + expiresSeconds + '; Path=/other/; Expires=' + expiresDate.toUTCString() + '; SameSite=Strict;'
])

etc.

[shivanshu41]

Did anyone fix this issue ?

[rhodgkins]

The functions-framework, which I believe the Firebase functions are run on, uses express: 4.16.4 - that's no the issue is it?

Had similar problems with x-powered-by header and it turns out the functions use a child app of the functions framework app, or something like that...!