I am setting a Cookie using the SvelteKits’ integrated cookies.set inside a server action for OAuth reasons.
twitter: async ({ locals, cookies }) => {
const provider = (await locals.pb.collection("users").listAuthMethods()).authProviders.find((p) => p.name === "twitter");
cookies.set("provider", JSON.stringify(provider), {
path: "/",
httpOnly: true
});
console.log(cookies.get("provider"));
await new Promise(resolve => setTimeout(resolve, 1000));
const redirectUrl = provider?.authUrl + env.REDIRECT_URL + provider?.name;
throw redirect(303, redirectUrl);
},
The console.log(cookies.get("provider")); actually prints out the whole cookie, just as intended. However, when observing the browser console (hence the delay so I got more time to check) there is no cookie actually being set. After the redirect to Twitters’ OAuth service has taken place and I’m being redirected back to my callback url, there is no cookie available which I need to access the providers’ state (for CSRF reasons apparently).
For completeness, here is the code of the endpoint that’s being redirected to as my callback url:
export const GET = async ({ url, locals, cookies }) => {
const provider = JSON.parse(cookies.get("provider") || "{}");
console.log(provider)
if (url.searchParams.get("error")) {
throw new Error(url.searchParams.get("error"));
}
if (provider.state !== url.searchParams.get("state")) {
throw new Error("State parameters don't match.");
}
.....
};
Since the cookie is not avaiable, the providers’ state is always !== the state returned by twitter through the callback url.