fix(auth): resolve cookie authentication failure over HTTP

Cookies were set with secure flag based solely on NODE_ENV, causing 401 errors when accessing over HTTP with NODE_ENV=production. - Add COOKIE_SECURE env var for explicit control - Auto-detect HTTPS via X-Forwarded-Proto header in production - Extract isSecureCookie() utility to lib/auth/utils.ts - Document COOKIE_SECURE in README and .env.example Fixes #39
2026-01-23 15:26:24 -05:00
parent be49b91188
commit 30c661a364
6 changed files with 30 additions and 7 deletions
--- a/app/api/auth/login/route.ts
+++ b/app/api/auth/login/route.ts
@@ -1,5 +1,5 @@
 import { NextRequest, NextResponse } from 'next/server';
-import { generateAccessToken, generateRefreshToken, validateAdminCredentials } from '@/lib/auth/utils';
+import { generateAccessToken, generateRefreshToken, validateAdminCredentials, isSecureCookie } from '@/lib/auth/utils';

 export async function POST(request: NextRequest) {
  try {
@@ -36,7 +36,7 @@ export async function POST(request: NextRequest) {
    // Set cookies
    const cookieOptions = {
      httpOnly: true,
-      secure: process.env.NODE_ENV === 'production',
+      secure: isSecureCookie(request),
      sameSite: 'lax' as const,
      path: '/',
    };
--- a/app/api/auth/refresh/route.ts
+++ b/app/api/auth/refresh/route.ts
@@ -1,5 +1,5 @@
 import { NextRequest, NextResponse } from 'next/server';
-import { generateAccessToken, generateRefreshToken, verifyRefreshToken } from '@/lib/auth/utils';
+import { generateAccessToken, generateRefreshToken, verifyRefreshToken, isSecureCookie } from '@/lib/auth/utils';

 export async function POST(request: NextRequest) {
  try {
@@ -49,7 +49,7 @@ export async function POST(request: NextRequest) {
    // Set new cookies
    const cookieOptions = {
      httpOnly: true,
-      secure: process.env.NODE_ENV === 'production',
+      secure: isSecureCookie(request),
      sameSite: 'lax' as const,
      path: '/',
    };