From d5eabd77712ed34f3cb8f871b68719286750745f Mon Sep 17 00:00:00 2001
From: Tom Moor <tom.moor@gmail.com>
Date: Fri, 27 Jan 2023 18:52:47 -0500
Subject: [PATCH] fix: Allow loading attachments linked from other
 sites/emails.

Loosens same-site policy to include cookies for navigation events.
closes #4737
---
 server/routes/auth/index.ts    | 2 +-
 server/utils/authentication.ts | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/server/routes/auth/index.ts b/server/routes/auth/index.ts
index 8a2a0be55..4a71b944f 100644
--- a/server/routes/auth/index.ts
+++ b/server/routes/auth/index.ts
@@ -34,7 +34,7 @@ router.get("/redirect", auth(), async (ctx: APIContext) => {
 
   ctx.cookies.set("accessToken", jwtToken, {
     httpOnly: false,
-    sameSite: true,
+    sameSite: "lax",
     expires: addMonths(new Date(), 3),
   });
   const [team, collection, view] = await Promise.all([
diff --git a/server/utils/authentication.ts b/server/utils/authentication.ts
index 9a01cb26e..c528f3bdf 100644
--- a/server/utils/authentication.ts
+++ b/server/utils/authentication.ts
@@ -119,7 +119,7 @@ export async function signIn(
     }
   } else {
     ctx.cookies.set("accessToken", user.getJwtToken(), {
-      sameSite: true,
+      sameSite: "lax",
       httpOnly: false,
       expires,
     });