Which middleware has the bug?
@hono/oidc-auth
What version of the middleware?
1.8.1
What version of Hono are you using?
4.12.8
What runtime/platform is your app running on? (with version if possible)
Bun
What steps can reproduce the bug?
- Run the app like the example use of @hono/oidc-auth suggests
- Attempt to log in (a) via a browser like Safari on localhost or (b) via another device on it's IP
- Observe the wonderful "unexpected 'state' parameter encountered" error
What is the expected behavior?
During local development/when serving on localhost and/or known local IP ranges, cookies necessary for auth/state should be usable across browsers and devices used for testing.
What do you see instead?
- Cookies with the Secure flag may be rejected by some browsers (e.g. Safari) that do not consider the origin secure.
- Authentication state stored in those cookies is lost, leading to errors in OAuth/redirect flows (e.g., "unexpected 'state' parameter encountered")
- Cross-device testing is not possible
Additional information
A proposed fix is to set the secure flag conditionally. Especially here and here based on weather the environment is in production or development/testing. An environment variable to override this should also be sufficient
related issues: #1467
Which middleware has the bug?
@hono/oidc-auth
What version of the middleware?
1.8.1
What version of Hono are you using?
4.12.8
What runtime/platform is your app running on? (with version if possible)
Bun
What steps can reproduce the bug?
What is the expected behavior?
During local development/when serving on localhost and/or known local IP ranges, cookies necessary for auth/state should be usable across browsers and devices used for testing.
What do you see instead?
Additional information
A proposed fix is to set the secure flag conditionally. Especially here and here based on weather the environment is in production or development/testing. An environment variable to override this should also be sufficient
related issues: #1467