🐛 Fix infinite loop when trying to migrate legacy cookie (#1561)

2025-06-03 11:11:48 +02:00 · 2025-02-13 10:14:03 +07:00 · 2025-02-13 10:14:03 +07:00 · ff4a1d16cb
commit ff4a1d16cb
parent cb27ae9ea7
14 changed files with 260 additions and 139 deletions
--- a/apps/web/tests/helpers/next-auth-v4.ts
+++ b/apps/web/tests/helpers/next-auth-v4.ts
@ -0,0 +1,36 @@
+import hkdf from "@panva/hkdf";
+import { EncryptJWT } from "jose";
+import type { JWT } from "next-auth/jwt";
+
+const now = () => (Date.now() / 1000) | 0;
+export async function getDerivedEncryptionKey(
+  keyMaterial: string | Buffer,
+  salt: string,
+) {
+  return await hkdf(
+    "sha256",
+    keyMaterial,
+    salt,
+    `NextAuth.js Generated Encryption Key${salt ? ` (${salt})` : ""}`,
+    32,
+  );
+}
+
+interface JWTEncodeParams {
+  token?: JWT;
+  salt?: string;
+  secret: string | Buffer;
+  maxAge?: number;
+}
+
+export async function encode(params: JWTEncodeParams) {
+  /** @note empty `salt` means a session token. See {@link JWTEncodeParams.salt}. */
+  const { token = {}, secret, maxAge = 30 * 24 * 60 * 60, salt = "" } = params;
+  const encryptionSecret = await getDerivedEncryptionKey(secret, salt);
+  return await new EncryptJWT(token)
+    .setProtectedHeader({ alg: "dir", enc: "A256GCM" })
+    .setIssuedAt()
+    .setExpirationTime(now() + maxAge)
+    .setJti("some-random-id")
+    .encrypt(encryptionSecret);
+}
--- a/apps/web/tests/next-auth-migration.spec.ts
+++ b/apps/web/tests/next-auth-migration.spec.ts
@ -0,0 +1,57 @@
+import { expect, test } from "@playwright/test";
+import { prisma } from "@rallly/database";
+
+import { encode } from "./helpers/next-auth-v4";
+
+const legacyGuestId = "user-1234";
+
+test.describe.serial(() => {
+  test.beforeAll(async () => {
+    await prisma.poll.create({
+      data: {
+        id: "legacy-guest-poll",
+        title: "Test Poll",
+        adminUrlId: "admin-url-id",
+        participantUrlId: "participant-url-id",
+        guestId: legacyGuestId,
+      },
+    });
+  });
+  test.afterAll(async () => {
+    await prisma.poll.delete({
+      where: {
+        id: "legacy-guest-poll",
+      },
+    });
+  });
+
+  test("should see poll on login page", async ({ page }) => {
+    const context = page.context();
+    const legacyToken = await encode({
+      token: {
+        sub: legacyGuestId,
+      },
+      secret: process.env.SECRET_PASSWORD,
+    });
+
+    // set cookie to simulate legacy guest
+    await context.addCookies([
+      {
+        name: "next-auth.session-token",
+        value: legacyToken,
+        httpOnly: true,
+        expires: Date.now() / 1000 + 60 * 60 * 24 * 7,
+        secure: false,
+        sameSite: "Lax",
+        domain: "localhost",
+        path: "/",
+      },
+    ]);
+
+    // For some reason it doesn't work unless we need to redirect
+    await page.goto("/login");
+
+    // Check if the poll title exists in the page content
+    await expect(page.getByText("Test Poll")).toBeVisible();
+  });
+});