fix: use http-only cookies

danielroe · danielroe · commit f2ad3981f3e6 · 2026-01-31T07:10:27.000Z
diff --git a/server/utils/atproto/storage.ts b/server/utils/atproto/storage.ts
@@ -26,7 +26,11 @@ export class OAuthStateStore implements NodeSavedStateStore {
   }
 
   async set(key: string, val: NodeSavedState) {
-    setCookie(this.event, this.cookieKey, key)
+    setCookie(this.event, this.cookieKey, key, {
+      httpOnly: true,
+      secure: !import.meta.dev,
+      sameSite: 'lax',
+    })
     await this.storage.setItem<NodeSavedState>(key, val)
   }
 
@@ -60,7 +64,11 @@ export class OAuthSessionStore implements NodeSavedSessionStore {
   }
 
   async set(key: string, val: NodeSavedSession) {
-    setCookie(this.event, this.cookieKey, key)
+    setCookie(this.event, this.cookieKey, key, {
+      httpOnly: true,
+      secure: !import.meta.dev,
+      sameSite: 'lax',
+    })
     await this.storage.setItem<NodeSavedSession>(key, val)
   }
 

Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,11 @@ export class OAuthStateStore implements NodeSavedStateStore {`
`26`	`26`	`}`
`27`	`27`
`28`	`28`	`async set(key: string, val: NodeSavedState) {`
`29`		`- setCookie(this.event, this.cookieKey, key)`
	`29`	`+ setCookie(this.event, this.cookieKey, key, {`
	`30`	`+ httpOnly: true,`
	`31`	`+ secure: !import.meta.dev,`
	`32`	`+ sameSite: 'lax',`
	`33`	`+ })`
`30`	`34`	`await this.storage.setItem<NodeSavedState>(key, val)`
`31`	`35`	`}`
`32`	`36`
`@@ -60,7 +64,11 @@ export class OAuthSessionStore implements NodeSavedSessionStore {`
`60`	`64`	`}`
`61`	`65`
`62`	`66`	`async set(key: string, val: NodeSavedSession) {`
`63`		`- setCookie(this.event, this.cookieKey, key)`
	`67`	`+ setCookie(this.event, this.cookieKey, key, {`
	`68`	`+ httpOnly: true,`
	`69`	`+ secure: !import.meta.dev,`
	`70`	`+ sameSite: 'lax',`
	`71`	`+ })`
`64`	`72`	`await this.storage.setItem<NodeSavedSession>(key, val)`
`65`	`73`	`}`
`66`	`74`