feat(SW-162): Updated MFA to use basic cookie validation

2024-08-09 13:18:49 +02:00
parent 1040c09147
commit 13ded529cc
3 changed files with 19 additions and 40 deletions
--- a/auth.ts
+++ b/auth.ts
@@ -143,18 +143,15 @@ export const config = {
    async jwt({ account, session, token, trigger, user }) {
      if (account?.provider == "curity-mfa") {
        const cookieStore = cookies()
-        const value = token.access_token
-        const secret = env.NEXTAUTH_SECRET
-        const maxAge = 60 * 15
-        const name = "_SecureMFA-token"
-        const mfaCookie = await encode({
-          secret,
-          maxAge,
-          token: value,
-          salt: name,
-        })
-        cookieStore.set("_SecureMFA-token", mfaCookie.toString(), {
-          maxAge: maxAge,
+        // As new scope/token is added to existing session we will add separate cookie to validate MFA done
+        cookieStore.set({
+          name: "_MFA-validated-cookie",
+          value: "true",
+          httpOnly: true,
+          sameSite: "lax",
+          expires: token.expires_at
+            ? token.expires_at * 1000
+            : Date.now() + 10 * 60 * 1000,
        })
      }