Support cross domain credentials

[jamescryer]

Description

I have two or more Next.js applications which are deployed independently. They provide different services to users, and live under different subdomains e.g. login.mywebapp.com and people.mywebapp.com. For the user this is a single web application with a single session.

I'd like for the "login" web application to implement the nextjs-auth0 APIs, and have the other applications make use nextjs-auth0 frontend helpers without needing to implement the APIs as well. The other applications should use the APIs under the "login" sub domain.

I can almost make this work by

• Setting the environment variables NEXT_PUBLIC_AUTH0_LOGIN and NEXT_PUBLIC_AUTH0_PROFILE in all web apps
• Setting the header Access-Control-Allow-Origin and Access-Control-Allow-Credentials in the API handler in the login web app.
• Setting the session.cookie.domain as the .mywebapp.com so that it is shared across sub domains.

But the cookie is not sent with the request to https://login.mywebapp.com/api/auth/me, returning an "unauthorised" response.

This PR makes it possible to send the auth cookie across sub domains by setting the { credentials: 'include' } option in the checkSession() fetch call.

Testing

• Set the environment variable NEXT_PUBLIC_AUTH0_PROFILE to a different URL, and add any cookie to that domain. Upon loading the page a request will be sent to https://login.mywebapp.com/api/auth/me with the cookie sent on the request.

• This change adds test coverage for new/changed/fixed functionality

Checklist

• I have added documentation for new/changed functionality in this PR or in auth0.com/docs
• All active GitHub checks for tests, formatting, and security are passing
• The correct base branch is being used, if not main

[vercel]

@jamescryer is attempting to deploy a commit to the Auth0 Team on Vercel.

A member of the Team first needs to authorize it.

[jamescryer]

Hey. I'm leaving this as a draft PR for now as for some yet unknown reason I'm unable to install the examples to try the end-to-end tests. It errors with Could not resolve dependency: ... peer next@">=9.4.4" from @serverless-jwt/[email protected]. I don't have time to work through this right now.

But if automation can run the those test and you're all happy with the idea then perhaps we can mark as "ready for review"? Also, I've not added any documentation, let me know if you'd like something added.

[adamjmcgrath]

Hi @jamescryer - thanks for raising this. I'd be happy to accept a PR that allowed you to optionally pass a custom fetcher (similar to useSWR) which should resolve your issue, eg

<Auth0Provider
  fetcher={async (url) => {
      const response = await fetch(url, { credentials: 'include' });
      return response.ok ? response.json() : undefined;
  }}

[jamescryer]

@adamjmcgrath Thanks for your feedback. Do my changes work for you?

[adamjmcgrath]

lgtm - thanks @jamescryer

just a small request on the test case

[adamjmcgrath]

const customFetcher = jest.fn().mockReturnValue(Promise.resolve('foo'));
// then    
expect(result.current.user).toBe('foo');

[jamescryer]

Ah, good shout. I've made that change.

[adamjmcgrath]

Looks good, thanks - I just need to wait a day or two for something before I can merge. Will keep you posted

[adamjmcgrath]

Thanks @jamescryer - I'll try and get round to releasing it this week