root/chadebebe
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(auth): resolve cookie authentication failure over HTTP

Browse Source 
Cookies were set with secure flag based solely on NODE_ENV, causing
401 errors when accessing over HTTP with NODE_ENV=production.

- Add COOKIE_SECURE env var for explicit control
- Auto-detect HTTPS via X-Forwarded-Proto header in production
- Extract isSecureCookie() utility to lib/auth/utils.ts
- Document COOKIE_SECURE in README and .env.example

Fixes #39
This commit is contained in:
Michael T
2026-01-23 15:26:24 -05:00
parent be49b91188
commit 30c661a364
6 changed files with 30 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
app/api/auth/login/route.ts
View File

@@ -1,5 +1,5 @@
import { NextRequest, NextResponse } from 'next/server';
import { generateAccessToken, generateRefreshToken, validateAdminCredentials } from '@/lib/auth/utils';
import { generateAccessToken, generateRefreshToken, validateAdminCredentials, isSecureCookie } from '@/lib/auth/utils';
export async function POST(request: NextRequest) {
try {
@@ -36,7 +36,7 @@ export async function POST(request: NextRequest) {
// Set cookies
const cookieOptions = {
httpOnly: true,
secure: process.env.NODE_ENV === 'production',
secure: isSecureCookie(request),
sameSite: 'lax' as const,
path: '/',
};

4
app/api/auth/refresh/route.ts
View File

@@ -1,5 +1,5 @@
import { NextRequest, NextResponse } from 'next/server';
import { generateAccessToken, generateRefreshToken, verifyRefreshToken } from '@/lib/auth/utils';
import { generateAccessToken, generateRefreshToken, verifyRefreshToken, isSecureCookie } from '@/lib/auth/utils';
export async function POST(request: NextRequest) {
try {
@@ -49,7 +49,7 @@ export async function POST(request: NextRequest) {
// Set new cookies
const cookieOptions = {
httpOnly: true,
secure: process.env.NODE_ENV === 'production',
secure: isSecureCookie(request),
sameSite: 'lax' as const,
path: '/',
};

6
app/api/lock/route.ts
View File

@@ -2,6 +2,7 @@ import { NextRequest, NextResponse } from 'next/server';
import { eq } from 'drizzle-orm';
import { db, settings } from '@/lib/db';
import crypto from 'crypto';
import { isSecureCookie } from '@/lib/auth/utils';
// POST /api/lock - Verify password
export async function POST(request: NextRequest) {
@@ -41,12 +42,11 @@ export async function POST(request: NextRequest) {
message: 'Password verified',
});
// Set an unlock cookie that expires in 24 hours
response.cookies.set('site_unlocked', 'true', {
httpOnly: true,
secure: process.env.NODE_ENV === 'production',
secure: isSecureCookie(request),
sameSite: 'lax',
maxAge: 60 * 60 * 24, // 24 hours
maxAge: 60 * 60 * 24,
path: '/',
});