Firebase-functions: res.cookie option with sameSite 'none' throws TypeError: option sameSite is invalid at Object.serialize

Thanks for reporting this @matjazonline. Could you also share which version of firebase-functions you are using?

This does look like a similar issue to the one that you found from Express - however, its not immediately clear to me which package is causing it here. According to that issue, this was fixed in [email protected], which firebase-functions has been using for 10 months now: https://github.com/firebase/firebase-functions/blame/master/package.json#L43

I'm going to do some further testing to see if I can repro this and figure out which package we need to update to stop this error.

Hi Joehan,

I'm using [email protected] and there is also [email protected] in the same
node_modules directory.

On Wed, 8 Apr 2020 at 19:02, joehan notifications@github.com wrote:

Thanks for reporting this @matjazonline https://github.com/matjazonline.
Could you also share which version of firebase-functions you are using?

This does look like a similar issue to the one that you found from Express

• however, its not immediately clear to me which package is causing it
  here. According to that issue, this was fixed in [email protected], which
  firebase-functions has been using for 10 months now:
  https://github.com/firebase/firebase-functions/blame/master/package.json#L43

From the debug logs you shared, I think this could be coming from the cors
package. The latest version is 2.8.5, which came out right around when
[email protected] was released, but we are on 2.8.4, which is 3 years old.
Going to investigate/test further to see if we can fix this by updating
cors to 2.8.5

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/firebase/firebase-functions/issues/653#issuecomment-611076358,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAIKMJWOWWWJNWEUACWQJOTRLSU4FANCNFSM4L2HXDTA
.

@joehan we also hit this:

TypeError: option sameSite is invalid
at Object.serialize (/worker/node_modules/cookie/index.js:174:15)
at ServerResponse.res.cookie (/worker/node_modules/express/lib/response.js:853:36)

We have "cookie": "^0.4.1" in package.json and our package-lock.json has

"cookie": {
  "version": "0.4.1",
  "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.4.1.tgz",
  "integrity": "sha512-ZwrFkGJxUR3EIoXtO+yVE69Eb7KlixbaeAWfBQB9vVsNn/o+Yw69gBWSSDK825hQNdN+wF8zELf3dFNl/kxkUA=="
},

The stack trace how ever matches the lines in older cookie lib version, so for some reason the versions are not honored when deployed to CF?

Running with "firebase-functions": "^3.6.1", and latest cli to deploy. 8 as the node engine.

You can check here: https://github.com/jshttp/cookie/pull/89/files that the lines match cookie lib < 1.4.0 being used in CF.

@matjazonline for the time being, you can write raw cookies (multiple) like this:

res.setHeader('set-cookie', [
 'firstCookie=' + valueForFirst + '; Max-Age=' + expiresSeconds + '; Path=/some/path/; Expires=' + expiresDate.toUTCString() + '; Secure; SameSite=None; Domain=my-domain.com; HttpOnly', 
 'secondCookie=' + valueForSecond + '; Max-Age=' + expiresSeconds + '; Path=/other/; Expires=' + expiresDate.toUTCString() + '; SameSite=Strict;'
])

etc.

Did anyone fix this issue ?