fix(core): Use more secure default for cookie sameSite option

Relates to GHSA-h9wq-xcqx-mqxm.
The default used by the underlying `cookie-session` middleware is `false`, which is the least
secure setting. In modern browsers, this should be interpreted as `lax`, but this cannot be assumed
to be the case in 100% of situations. Therefore, we will now default to `lax` and if the user
needs a less restrictive policy, they can explicitly set it to `none`.

Author: michaelbromley

packages/core/src/config/default-config.ts

@@ -86,6 +86,7 @@ export const defaultConfig: RuntimeVendureConfig = {
         cookieOptions: {
             secret: Math.random().toString(36).substr(3),
             httpOnly: true,
+            sameSite: 'lax',
         },
         authTokenHeaderKey: DEFAULT_AUTH_TOKEN_HEADER_KEY,
         sessionDuration: '1y',