some updates and notes

waspc/data/Generator/templates/react-app/src/index.js

@@ -36,7 +36,10 @@ async function startApp() {
   serviceWorker.unregister()
 }
 
-// TODO: Chat on options. Pretty hacky.
+// NOTE: Since users will likely have the backend running on a different domain than
+// the frontend, we are unable to set the token:
+// (a) on the page load, as the index.html is not served by Node, nor
+// (b) via a cookie, since the frontend JS will not be able to access a cross-domain cookie.
 async function setCsrfToken() {
   const token = await api.get(config.apiUrl + '/csrf-token')
 

waspc/data/Generator/templates/server/src/app.js

@@ -18,6 +18,7 @@ import { useSession } from './session.js'
 const app = express()
 
 app.use(helmet())
+// TODO: review PR that concerns this.
 app.use(cors({
   origin: config.frontendUrl,
   methods: ['POST', 'PUT', 'GET', 'OPTIONS', 'HEAD'],

waspc/data/Generator/templates/server/src/routes/index.js

@@ -15,6 +15,7 @@ router.get('/', function (req, res, next) {
 {=# isAuthEnabled =}
 router.use('/auth', auth)
 
+// TODO: ensure this only can be requested by frontend
 router.get('/csrf-token', function (req, res) {
   res.json(req.csrfToken())
 })

waspc/data/Generator/templates/server/src/session.js

@@ -15,7 +15,6 @@ const sessionConfig = {
   saveUninitialized: true,
   cookie: {
     httpOnly: true,
-    // TODO: Use sameSite?
     maxAge: config.session.cookie.maxAge,
   },
   store: new PrismaSessionStore(prisma, {
@@ -36,7 +35,9 @@ const csrfConfig = {
 export function useSession(app) {
   if (config.env === 'production') {
     sessionConfig.cookie.secure = true
-    csurfConfig.cookie.secure = true
+    sessionConfig.cookie.sameSite = 'none'
+    csrfConfig.cookie.secure = true
+    csrfConfig.cookie.sameSite = 'none'
   }
 
   app.use(session(sessionConfig))