Merge pull request #1218 from elie222/fix/secure-cookies-final

apps/web/app/(app)/[emailAccountId]/calendars/ConnectCalendar.tsx

@@ -22,7 +22,7 @@ export function ConnectCalendar({
 
   const setOnboardingReturnCookie = () => {
     if (onboardingReturnPath) {
-      document.cookie = `${CALENDAR_ONBOARDING_RETURN_COOKIE}=${encodeURIComponent(onboardingReturnPath)}; path=/; max-age=180`;
+      document.cookie = `${CALENDAR_ONBOARDING_RETURN_COOKIE}=${encodeURIComponent(onboardingReturnPath)}; path=/; max-age=180; SameSite=Lax; Secure`;
     }
   };
 

apps/web/app/(landing)/welcome/utms.tsx

@@ -39,15 +39,24 @@ export function registerUtmTracking({
 // See: https://nextjs.org/docs/app/api-reference/functions/after
 export function extractUtmValues(cookies: ReadonlyRequestCookies): UtmValues {
   return {
-    utmCampaign: cookies.get("utm_campaign")?.value,
-    utmMedium: cookies.get("utm_medium")?.value,
-    utmSource: cookies.get("utm_source")?.value,
-    utmTerm: cookies.get("utm_term")?.value,
-    affiliate: cookies.get("affiliate")?.value,
-    referralCode: cookies.get("referral_code")?.value,
+    utmCampaign: decodeCookieValue(cookies.get("utm_campaign")?.value),
+    utmMedium: decodeCookieValue(cookies.get("utm_medium")?.value),
+    utmSource: decodeCookieValue(cookies.get("utm_source")?.value),
+    utmTerm: decodeCookieValue(cookies.get("utm_term")?.value),
+    affiliate: decodeCookieValue(cookies.get("affiliate")?.value),
+    referralCode: decodeCookieValue(cookies.get("referral_code")?.value),
   };
 }
 
+function decodeCookieValue(value: string | undefined): string | undefined {
+  if (!value) return undefined;
+  try {
+    return decodeURIComponent(value);
+  } catch {
+    return value;
+  }
+}
+
 export async function fetchUserAndStoreUtms(
   userId: string,
   utmValues: UtmValues,

apps/web/app/utm.tsx

@@ -15,17 +15,17 @@ function setUtmCookies() {
   const expires = new Date(Date.now() + 30 * 24 * 60 * 60 * 1000).toUTCString();
 
   if (utmSource)
-    document.cookie = `utm_source=${utmSource}; expires=${expires}; path=/`;
+    document.cookie = `utm_source=${encodeURIComponent(utmSource)}; expires=${expires}; path=/; SameSite=Lax; Secure`;
   if (utmMedium)
-    document.cookie = `utm_medium=${utmMedium}; expires=${expires}; path=/`;
+    document.cookie = `utm_medium=${encodeURIComponent(utmMedium)}; expires=${expires}; path=/; SameSite=Lax; Secure`;
   if (utmCampaign)
-    document.cookie = `utm_campaign=${utmCampaign}; expires=${expires}; path=/`;
+    document.cookie = `utm_campaign=${encodeURIComponent(utmCampaign)}; expires=${expires}; path=/; SameSite=Lax; Secure`;
   if (utmTerm)
-    document.cookie = `utm_term=${utmTerm}; expires=${expires}; path=/`;
+    document.cookie = `utm_term=${encodeURIComponent(utmTerm)}; expires=${expires}; path=/; SameSite=Lax; Secure`;
   if (affiliate)
-    document.cookie = `affiliate=${affiliate}; expires=${expires}; path=/`;
+    document.cookie = `affiliate=${encodeURIComponent(affiliate)}; expires=${expires}; path=/; SameSite=Lax; Secure`;
   if (referralCode)
-    document.cookie = `referral_code=${referralCode}; expires=${expires}; path=/`;
+    document.cookie = `referral_code=${encodeURIComponent(referralCode)}; expires=${expires}; path=/; SameSite=Lax; Secure`;
 }
 
 export function UTM() {

apps/web/components/ui/sidebar.tsx

@@ -90,7 +90,7 @@ const SidebarProvider = React.forwardRef<
         // This sets the cookie to keep the sidebar state.
         // This sets the cookie to keep the sidebar state.
         sidebarNames.forEach((sidebarName) => {
-          document.cookie = `${sidebarName}:state=${openState.includes(sidebarName)}; path=/; max-age=${SIDEBAR_COOKIE_MAX_AGE}`;
+          document.cookie = `${sidebarName}:state=${openState.includes(sidebarName)}; path=/; max-age=${SIDEBAR_COOKIE_MAX_AGE}; SameSite=Lax; Secure`;
         });
       },
       [setOpenProp, open, sidebarNames],

apps/web/utils/auth-cookies.ts

@@ -7,7 +7,7 @@ export function getAndClearAuthErrorCookie(): string | undefined {
     .join("=");
 
   if (authErrorCookie) {
-    document.cookie = "auth_error=; path=/; max-age=0";
+    document.cookie = "auth_error=; path=/; max-age=0; SameSite=Lax; Secure";
   }
 
   return authErrorCookie;

apps/web/utils/auth.ts

@@ -277,7 +277,12 @@ export async function handleReferralOnSignUp({
       return;
     }
 
-    const referralCode = referralCookie.value;
+    let referralCode = referralCookie.value;
+    try {
+      referralCode = decodeURIComponent(referralCode);
+    } catch {
+      // Use original value if decoding fails
+    }
     logger.info("Processing referral for new user", {
       email,
       referralCode,

apps/web/utils/cookies.ts

@@ -9,13 +9,13 @@ export type LastEmailAccountCookieValue = {
 };
 
 export function markOnboardingAsCompleted(cookie: string) {
-  document.cookie = `${cookie}=true; path=/; max-age=${Number.MAX_SAFE_INTEGER}; SameSite=Lax`;
+  document.cookie = `${cookie}=true; path=/; max-age=${Number.MAX_SAFE_INTEGER}; SameSite=Lax; Secure`;
 }
 
 export function setInvitationCookie(invitationId: string) {
-  document.cookie = `${INVITATION_COOKIE}=${invitationId}; path=/; max-age=${7 * 24 * 60 * 60}; SameSite=Lax`;
+  document.cookie = `${INVITATION_COOKIE}=${invitationId}; path=/; max-age=${7 * 24 * 60 * 60}; SameSite=Lax; Secure`;
 }
 
 export function clearInvitationCookie() {
-  document.cookie = `${INVITATION_COOKIE}=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT; SameSite=Lax`;
+  document.cookie = `${INVITATION_COOKIE}=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT; SameSite=Lax; Secure`;
 }