Cooke is being stored on both localhost:3001 and localhost:3000?-CodePudding

I am using PassportJS, and using passport-discord for oauth login.

I don't have any real issues with this flow so far although a major question arises.

authRouter.get('/discord', passport.authenticate('discord', { session: false }))

authRouter.get('/discord/callback', passport.authenticate('discord',  { session: false }), (req, res) => {
    const token = jwt.sign(req.user , 'SECRET')

    res.cookie('token', token, {
        httpOnly: true,
        maxAge: 60000
    })
    res.redirect(`http://localhost:3000`)
})

For some odd reason, once I get redirected to my main website at localhost:3000, the cookie is being stored there normally as it should. However if I go to localhost:3001/ I check my cookies and see that a cookie is also being stored there as well.

Is this to be expected? It seems like a major flaw both in terms of logic and security? I am following this exactly: https://www.passportjs.org/packages/passport-discord/

I am using cookie-parser as well

var DiscordStrategy = require('passport-discord').Strategy;

var scopes = ['identify', 'email', 'guilds', 'guilds.join'];

passport.use(new DiscordStrategy({
    clientID: 'id',
    clientSecret: 'secret',
    callbackURL: 'callbackURL',
    scope: scopes
},
function(accessToken, refreshToken, profile, cb) {
    return cb(null, profile)
}));

CodePudding user response：

For some odd reason

It's not odd, it's how cookies work and always worked. The cookie is bound to the domain, not the port. It's not a security flaw. In production, you use only two ports anyway, either 80 or 443. You won't have an application that listens on port 3000 exposed directly to your users.

If you need to limit cookies to one app during development you can either configure domains that you point to localhost (see the link @Aziz added in the comment), or set the path attribute on cookies. This way the cookie is sent by the browser only when calling the given path.