Restore Cookie Support for JWT Authentication

[czepan]

Search Terms

Authentication, Cookie, JWT, SSO

Suggestion

We use SSO / JWT tokens for authentication in Coral—for both our users and our moderation team. We want to keep it that way to prevent different login methods from interfering with each other.

For users, this works perfectly. However, we have encountered a couple of issues for moderators.
When a moderator enters the Coral backend via the "Moderate" button, they are correctly logged in because the access token is passed via URL. However, if the moderator presses F5 while in the backend, they are logged out and must re-enter the backend.

Additionally, we have integrated Slack to receive quick notifications about new "PENDING" comments. Unfortunately, the direct links to the backend included in those notifications cannot be used, as they do not contain the access token in the URL.

When investigating the issue, I noticed in the file server/src/core/server/services/jwt/index.ts that there was apparently support for an authentication cookie at some point:

// NOTE: disabled cookie support due to ITP/First Party Cookie bugs
// /**
//  * COOKIE_NAME is the name of the authorization cookie used by Coral.
//  */
// export const COOKIE_NAME = "authorization";
...
// NOTE: disabled cookie support due to ITP/First Party Cookie bugs
// /**
//  * extractJWTFromRequestCookie will parse the cookies off of the request if it
//  * can.
//  *
//  * @param req the incoming request possibly containing a cookie
//  */
// function extractJWTFromRequestCookie(
//   req: Request | IncomingMessage
// ): string | null {
//   if (!isExpressRequest(req)) {
//     // Grab the cookie header.
//     const header = req.headers.cookie;
//     if (typeof header !== "string" || header.length === 0) {
//       return null;
//     }

//     // Parse the cookies from that header.
//     const cookies = cookie.parse(header);
//     return cookies[COOKIE_NAME] || null;
//   }

//   return req.cookies && req.cookies[COOKIE_NAME]
//     ? req.cookies[COOKIE_NAME]
//     : null;
// }
...
  // NOTE: disabled cookie support due to ITP/First Party Cookie bugs
  // return extractJWTFromRequestHeaders(req, excludeQuery)|| extractJWTFromRequestCookie(req)

It seems this functionality was commented out more than two years ago due to a bug.
I was wondering if this feature will be reactivated at some point and, if so, when?

The cookie generation doesn’t need to happen within Coral—we would handle this application-side since we also generate the JWT token. We would ensure that the cookie is set with Domain=.newspaper.com, making it accessible to coral.newspaper.com.

Restoring cookie support could significantly improve the moderation experience by ensuring that user sessions are not dependent on a URL parameter, making them more persistent.

Best regards!

EnCz

[losowsky]

hi there, I hear your frustration. Since Safari and Firefox no longer support third-party cookies, we don't have any plans to return them to Coral. We welcome other solutions to this issue!

[czepan]

hi there, I hear your frustration. Since Safari and Firefox no longer support third-party cookies, we don't have any plans to return them to Coral. We welcome other solutions to this issue!

Thank you for your response. However, I would like to clarify that our case involves first-party cookies, not third-party cookies. Our application would set the cookie with the domain “.newsletter.com”, and Talk would run on “coral.newsletter.com”. This is a first-party context and should be fully supported by Safari and Firefox.

[losowsky]

Got it. This doesn't tally with the way that we manage our own hosting, so this isn't a priority for our team. I'll leave it here in case anyone wants to pick up the discussion.