fix(cookie): sameSite to "none" for oauth state (#5748)

2026-05-24 08:01:56 -05:00 · 2025-11-03 21:13:24 -08:00
parent 13dee5362c
commit 324a2ed343
4 changed files with 13 additions and 4 deletions
--- a/demo/nextjs/lib/auth.ts
+++ b/demo/nextjs/lib/auth.ts
@@ -350,7 +350,7 @@ export const auth = betterAuth({
 		}),
 		lastLoginMethod(),
 	],
-	trustedOrigins: ["exp://"],
+	trustedOrigins: ["exp://", "https://appleid.apple.com"],
 	advanced: {
 		crossSubDomainCookies: {
 			enabled: process.env.NODE_ENV === "production",
--- a/demo/nextjs/turbo.json
+++ b/demo/nextjs/turbo.json
@@ -19,7 +19,9 @@
        "MICROSOFT_CLIENT_ID",
        "MICROSOFT_CLIENT_SECRET",
        "STRIPE_KEY",
-        "STRIPE_WEBHOOK_SECRET"
+        "STRIPE_WEBHOOK_SECRET",
+        "APPLE_CLIENT_ID",
+        "APPLE_CLIENT_SECRET"
      ]
    }
  }
--- a/packages/better-auth/src/oauth2/state.ts
+++ b/packages/better-auth/src/oauth2/state.ts
@@ -49,6 +49,7 @@ export async function generateState(
 		});

 		const stateCookie = c.context.createAuthCookie("oauth_state", {
+			sameSite: "none",
 			maxAge: 10 * 60 * 1000, // 10 minutes
 		});

@@ -62,6 +63,7 @@ export async function generateState(

 	// Default: database strategy
 	const stateCookie = c.context.createAuthCookie("state", {
+		sameSite: "none",
 		maxAge: 5 * 60 * 1000, // 5 minutes
 	});
 	await c.setSignedCookie(
@@ -116,7 +118,9 @@ export async function parseState(c: GenericEndpointContext) {

 	if (storeStateStrategy === "cookie") {
 		// Retrieve state data from encrypted cookie
-		const stateCookie = c.context.createAuthCookie("oauth_state");
+		const stateCookie = c.context.createAuthCookie("oauth_state", {
+			sameSite: "none",
+		});
 		const encryptedData = await c.getCookie(stateCookie.name);

 		if (!encryptedData) {
@@ -162,7 +166,9 @@ export async function parseState(c: GenericEndpointContext) {

 		parsedData = stateDataSchema.parse(JSON.parse(data.value));

-		const stateCookie = c.context.createAuthCookie("state");
+		const stateCookie = c.context.createAuthCookie("state", {
+			sameSite: "none",
+		});
 		const stateCookieValue = await c.getSignedCookie(
 			stateCookie.name,
 			c.context.secret,
--- a/packages/expo/src/index.ts
+++ b/packages/expo/src/index.ts
@@ -106,6 +106,7 @@ export const expo = (options?: ExpoOptions | undefined) => {
 						});
 					}
 					const stateCookie = ctx.context.createAuthCookie("state", {
+						sameSite: "none",
 						maxAge: 5 * 60 * 1000, // 5 minutes
 					});
 					await ctx.setSignedCookie(