iOS 12 devices cannot login cofacts.tw

[MrOrz]

No matter which domain they use, iOS 12 users are not able to login Cofacts, regardless of they logged in Cofacts in other devices before.

Root cause

iOS <=12 has a bug in its webkit core, which will interpret SameSite=None as SameSite=Strict.
https://medium.com/reactfunctioncomponentnote/samesite-%E4%B9%8B%E4%BA%82-f7e1645642bf

When SameSite=Strict, browser will not send cookie even we are redirecting the whole page as long as the source (in this case, the authenticating service like FB, Google, etc) and destination URL (api.cofacts.tw/callback/*) are not in the same "site" (That is, *.cofacts.tw).

Therefore, iOS 12 will not send session cookie to /callback/* endpoint, and the endpoint cannot proceed without such session keys.

Proposed changes

Consider the following facts:

• All cookies without SameSite flag will be Lax by default, which does not send cookie for cross-site "sub-requests" (images, frames) but allows cross-site cookies for navigations. Therefore, the default SameSite=Lax does not interfere OAuth login redirect.
• In iOS cannot login cofacts.tw #250 we have moved APIs and sites to the same site (cofacts.tw) by default. Therefore, Site <> API communication are all same-site requests
• iOS <=12 should work on cofacts.tw without any SameSite flags (needs test)

Therefore we should be able to drop SameSite flag at once.

• Remove samesite logic
• Remove related COOKIE_SAMESITE_NONE and HTTPS
• For localhost development (localhost and staging API are definately cross-site), use /api proxy in localhost environment (See Method 2 in Cannot login to local dev server #186 (comment) )

[MrOrz]

Conclusion: According to 0804 discussion

We will detect iOS <= 12 with user-agent header and do not set same-site flag if iOS <= 12 is detected.