feat: deep-merge cookies options

[yordis]

Context

Recently we had to manually configure the cookies in order to get our API service to authenticate with the NextAuth
cookie session token. Because the API lives under api.example.com and the NextJS app lives under example.com we had
to set the domain property of the cookie to .example.com in order to get the cookie to be sent to the API.

Here is the relevant code:

export const authOptions = {
  cookies: {
    sessionToken: {
      name: process.env.NODE_ENV === 'production' ? '__Secure-next-auth.session-token' : 'next-auth.session-token',
      options: {
        httpOnly: true,
        sameSite: 'lax',
        path: '/',
        secure: process.env.NODE_ENV === 'production',
        // this is the important part
        domain: process.env.NEXTAUTH_SESSION_TOKEN_COOKIE_DOMAIN,
      },
    },
    // removed the other cookies for brevity
  },
} satisfies NextAuthOptions;

Concern

In order to accomplish this, we have to overwrite the entire cookie configuration. This means that we have to
manually set the httpOnly, sameSite, path, secure, etc. properties. This is not ideal because if the NextAuth
team ever changes the default values for these properties, we will not get the benefit of those changes.
Or if new sensible defaults are added, we will not get those either.

It is critical to have secured and sensible defaults for these properties.

Also notice the error-prone nature of this code since it requires to understand interanlly how NextAuth works and how
cookies work in general. Adding __Secure-, __Host- (which middlewares in other languages relies on), or extremely
critical, make sure secure is set to true in production.

Breaking Change?

Since we must overwrite the entire cookie configuration as of today, this should not be a breaking change as far as I
can tell.

[vercel]

@yordis is attempting to deploy a commit to the authjs Team on Vercel.

A member of the Team first needs to authorize it.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
auth-docs	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Dec 14, 2023 2:42am

2 Ignored Deployments

Name	Status	Preview	Comments	Updated (UTC)
auth-docs-nextra	⬜️ Ignored (Inspect)	Visit Preview		Dec 14, 2023 2:42am
next-auth-docs	⬜️ Ignored (Inspect)	Visit Preview		Dec 14, 2023 2:42am

[balazsorban44]

Thanks! First I was hesitant, but this keeps the current defaults, so it should be safe.

However, some other tweaks were needed, which I applied.

[yordis]

Hey @balazsorban44 is there any opportunity to release this feature 🙏🏻