fix(server): always set new session cookie (#6323)

packages/backend/server/src/core/auth/service.ts

@@ -60,7 +60,7 @@ export class AuthService implements OnApplicationBootstrap {
     path: '/',
     secure: this.config.https,
   };
-  static readonly sessionCookieName = 'sid';
+  static readonly sessionCookieName = 'affine_session';
   static readonly authUserSeqHeaderName = 'x-auth-user';
 
   constructor(
@@ -299,10 +299,11 @@ export class AuthService implements OnApplicationBootstrap {
     }
   }
 
-  async setCookie(req: Request, res: Response, user: { id: string }) {
+  async setCookie(_req: Request, res: Response, user: { id: string }) {
     const session = await this.createUserSession(
-      user,
-      req.cookies[AuthService.sessionCookieName]
+      user
+      // TODO(@forehalo): enable multi user session
+      // req.cookies[AuthService.sessionCookieName]
     );
 
     res.cookie(AuthService.sessionCookieName, session.sessionId, {

packages/backend/server/tests/auth/guard.spec.ts

@@ -73,7 +73,7 @@ test('should be able to visit public api if signed in', async t => {
 
   const res = await request(app.getHttpServer())
     .get('/public')
-    .set('Cookie', 'sid=1')
+    .set('Cookie', `${AuthService.sessionCookieName}=1`)
     .expect(HttpStatus.OK);
 
   t.is(res.body.user.id, '1');
@@ -102,7 +102,7 @@ test('should be able to visit private api if signed in', async t => {
 
   const res = await request(app.getHttpServer())
     .get('/private')
-    .set('Cookie', 'sid=1')
+    .set('Cookie', `${AuthService.sessionCookieName}=1`)
     .expect(HttpStatus.OK);
 
   t.is(res.body.user.id, '1');
@@ -113,7 +113,7 @@ test('should be able to parse session cookie', async t => {
 
   await request(app.getHttpServer())
     .get('/public')
-    .set('cookie', 'sid=1')
+    .set('cookie', `${AuthService.sessionCookieName}=1`)
     .expect(200);
 
   t.deepEqual(auth.getUser.firstCall.args, ['1', 0]);

packages/backend/server/tests/oauth/controller.spec.ts

@@ -309,7 +309,7 @@ test('should throw if oauth account already connected', async t => {
 
   const res = await request(app.getHttpServer())
     .get(`/oauth/callback?code=1&state=1`)
-    .set('cookie', 'sid=1')
+    .set('cookie', `${AuthService.sessionCookieName}=1`)
     .expect(HttpStatus.FOUND);
 
   const link = new URL(res.headers.location);
@@ -331,7 +331,7 @@ test('should be able to connect oauth account', async t => {
 
   await request(app.getHttpServer())
     .get(`/oauth/callback?code=1&state=1`)
-    .set('cookie', 'sid=1')
+    .set('cookie', `${AuthService.sessionCookieName}=1`)
     .expect(HttpStatus.FOUND);
 
   const account = await db.connectedAccount.findFirst({

packages/backend/server/tests/utils/user.ts

@@ -2,13 +2,17 @@ import type { INestApplication } from '@nestjs/common';
 import { PrismaClient } from '@prisma/client';
 import request, { type Response } from 'supertest';
 
-import type { ClientTokenType, CurrentUser } from '../../src/core/auth';
+import {
+  AuthService,
+  type ClientTokenType,
+  type CurrentUser,
+} from '../../src/core/auth';
 import type { UserType } from '../../src/core/user';
 import { gql } from './common';
 
 export function sessionCookie(headers: any) {
   const cookie = headers['set-cookie']?.find((c: string) =>
-    c.startsWith('sid=')
+    c.startsWith(`${AuthService.sessionCookieName}=`)
   );
 
   if (!cookie) {

packages/frontend/electron/src/main/deep-link.ts

@@ -88,7 +88,7 @@ async function handleOauthJwt(url: string) {
         httpOnly: true,
         value: token,
         secure: true,
-        name: 'sid',
+        name: 'affine_session',
         expirationDate: Math.floor(Date.now() / 1000 + 3600 * 24 * 7),
       });